FKIE_CVE-2026-23214

Vulnerability from fkie_nvd - Published: 2026-02-18 15:18 - Updated: 2026-02-18 17:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: reject new transactions if the fs is fully read-only [BUG] There is a bug report where a heavily fuzzed fs is mounted with all rescue mount options, which leads to the following warnings during unmount: BTRFS: Transaction aborted (error -22) Modules linked in: CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline] RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611 Call Trace: <TASK> btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705 btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157 btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517 btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708 btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130 btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499 btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628 evict+0x5f4/0xae0 fs/inode.c:837 __dentry_kill+0x209/0x660 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661 generic_shutdown_super+0x67/0x2c0 fs/super.c:621 kill_anon_super+0x3b/0x70 fs/super.c:1289 btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127 deactivate_locked_super+0xbc/0x130 fs/super.c:474 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318 task_work_run+0x1d4/0x260 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x694/0x22f0 kernel/exit.c:971 do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 __do_sys_exit_group kernel/exit.c:1123 [inline] __se_sys_exit_group kernel/exit.c:1121 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121 x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x44f639 Code: Unable to access opcode bytes at 0x44f60f. RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> Since rescue mount options will mark the full fs read-only, there should be no new transaction triggered. But during unmount we will evict all inodes, which can trigger a new transaction, and triggers warnings on a heavily corrupted fs. [CAUSE] Btrfs allows new transaction even on a read-only fs, this is to allow log replay happen even on read-only mounts, just like what ext4/xfs do. However with rescue mount options, the fs is fully read-only and cannot be remounted read-write, thus in that case we should also reject any new transactions. [FIX] If we find the fs has rescue mount options, we should treat the fs as error, so that no new transaction can be started.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1972f44c189c8aacde308fa9284e474c1a5cbd9f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3228b2eceb6c3d7e237f8a5330113dbd164fb90d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a928eecf030a9a5dc5f5ca98332699f379b91963
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject new transactions if the fs is fully read-only\n\n[BUG]\nThere is a bug report where a heavily fuzzed fs is mounted with all\nrescue mount options, which leads to the following warnings during\nunmount:\n\n  BTRFS: Transaction aborted (error -22)\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted\n  6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]\n  RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705\n   btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157\n   btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517\n   btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708\n   btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130\n   btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499\n   btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628\n   evict+0x5f4/0xae0 fs/inode.c:837\n   __dentry_kill+0x209/0x660 fs/dcache.c:670\n   finish_dput+0xc9/0x480 fs/dcache.c:879\n   shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661\n   generic_shutdown_super+0x67/0x2c0 fs/super.c:621\n   kill_anon_super+0x3b/0x70 fs/super.c:1289\n   btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127\n   deactivate_locked_super+0xbc/0x130 fs/super.c:474\n   cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318\n   task_work_run+0x1d4/0x260 kernel/task_work.c:233\n   exit_task_work include/linux/task_work.h:40 [inline]\n   do_exit+0x694/0x22f0 kernel/exit.c:971\n   do_group_exit+0x21c/0x2d0 kernel/exit.c:1112\n   __do_sys_exit_group kernel/exit.c:1123 [inline]\n   __se_sys_exit_group kernel/exit.c:1121 [inline]\n   __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121\n   x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x44f639\n  Code: Unable to access opcode bytes at 0x44f60f.\n  RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\n  RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639\n  RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\n  RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0\n  R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n   \u003c/TASK\u003e\n\nSince rescue mount options will mark the full fs read-only, there should\nbe no new transaction triggered.\n\nBut during unmount we will evict all inodes, which can trigger a new\ntransaction, and triggers warnings on a heavily corrupted fs.\n\n[CAUSE]\nBtrfs allows new transaction even on a read-only fs, this is to allow\nlog replay happen even on read-only mounts, just like what ext4/xfs do.\n\nHowever with rescue mount options, the fs is fully read-only and cannot\nbe remounted read-write, thus in that case we should also reject any new\ntransactions.\n\n[FIX]\nIf we find the fs has rescue mount options, we should treat the fs as\nerror, so that no new transaction can be started."
    }
  ],
  "id": "CVE-2026-23214",
  "lastModified": "2026-02-18T17:51:53.510",
  "metrics": {},
  "published": "2026-02-18T15:18:42.717",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1972f44c189c8aacde308fa9284e474c1a5cbd9f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3228b2eceb6c3d7e237f8a5330113dbd164fb90d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a928eecf030a9a5dc5f5ca98332699f379b91963"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.