CVE-2026-23043

Vulnerability

A NULL pointer dereference vulnerability exists in the Linux kernel's btrfs filesystem, specifically in the do_abort_log_replay() function. The issue was reported by Coverity (CID as CID 1666756. When btrfs_alloc_path() fails in replay_one_buffer(), the wc->subvol_path pointer is set to NULL. However, btrfs_abort_log_replay() calls do_abort_log_replay(), which unconditionally dereferences wc->subvol_path when attempting to print debug information, leading to a NULL pointer dereference [1][2].

Exploitation

An attacker would need to trigger a memory allocation failure in the btrfs log replay path, which could occur under low memory conditions or through specific filesystem operations that cause the log to be replayed. The vulnerability is triggered during filesystem mount or recovery operations when the log replay code is executed. No special privileges beyond normal filesystem access are required to trigger the condition, but the attacker must be able to influence memory pressure or cause log replay to occur during log replay.

Impact

Successful exploitation results in a kernel NULL pointer dereference of a NULL pointer, which typically causes a kernel panic (denial of service). This could lead to system crash or instability. The vulnerability does not appear to allow arbitrary code execution or privilege escalation, as the dereference is for a debug print statement.

Mitigation

The fix adds a NULL check before dereferencing wc->subvol_path in do_abort_log_replay(). The patch has been applied to the Linux kernel stable branches as commits 6d1b61b8e1e4 and 530e3d4af566 [1][2]. Users should update their kernels to include these patches.