VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 3, 2026· Updated Apr 23, 2026

CVE-2026-23423

CVE-2026-23423

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: free pages on error in btrfs_uring_read_extent()

In this function the 'pages' object is never freed in the hopes that it is picked up by btrfs_uring_read_finished() whenever that executes in the future. But that's just the happy path. Along the way previous allocations might have gone wrong, or we might not get -EIOCBQUEUED from btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a cleanup section that frees all memory allocated by this function without assuming any deferred execution, and this also needs to happen for the 'pages' allocation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in Linux kernel's btrfs_uring_read_extent() fails to free pages on error paths, risking resource exhaustion.

Vulnerability

A memory leak exists in the Linux kernel's btrfs_uring_read_extent() function within the Btrfs file system. The function allocates a pages object that is normally freed by btrfs_uring_read_finished() on success. However, on error paths—such as when earlier allocations fail or btrfs_encoded_read_regular_fill_pages() does not return -EIOCBQUEUED—the function jumps to a cleanup section that frees other allocated memory but omits freeing pages, causing it to be leaked [1][2][3].

Exploitation

To trigger this vulnerability, an attacker must have the ability to perform file read operations using io_uring on a Btrfs filesystem. The error path can be reached under conditions that cause allocation failures or unexpected return values, for example, during low-memory situations or by inducing I/O errors. No special privileges are required beyond local access to trigger the operations.

Impact

An unprivileged local user can exploit this memory leak to gradually exhaust system memory, potentially leading to a denial-of-service (DoS) condition. Over time, repeated exploitation could deplete available memory, causing system instability or crashes.

Mitigation

The issue is fixed in Linux kernel stable commits [1][2][3]. Users should update to a patched kernel version that includes the fix, which ensures pages is freed in all cleanup paths.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.13.1,<6.18.17
    • cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.