VYPR
← All advisories
High severity7.8NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-31666

CVE-2026-31666

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()

After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption.

Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a refactoring in btrfs' lookup_extent_data_ref() introduced a bug where a successful leaf advancement causes -ENOENT to be overwritten with 0, potentially leading to extent tree corruption.

Vulnerability

Description

A bug was introduced in the Linux kernel's btrfs filesystem within the function lookup_extent_data_ref() after commit 1618aa3c2e01. The refactoring merged the 'err' and 'ret' variables into a single variable 'ret'. However, when btrfs_next_leaf() returns 0 (indicating successful advancement to the next leaf), the 'ret' variable, which previously held -ENOENT, is overwritten to 0. If the first key in the next leaf does not match the expected objectid or type, the function incorrectly returns 0 instead of -ENOENT.

Attack

Vector and Exploitation Prerequisites

This is a local vulnerability that requires the ability to trigger specific btrfs operations that call lookup_extent_data_ref(). The bug manifests after a refactoring commit, meaning systems running kernels that include that commit are affected. No special network position or authentication beyond local access to the filesystem is needed; the flaw lies entirely in kernel code logic.

Impact

Because the function returns 0 (success) even when the lookup fails, the caller proceeds to operate on a wrong extent tree item. This can lead to reading or modifying the incorrect extent record, resulting in extent tree corruption. In a worst-case scenario, this corruption could cause data integrity issues, loss of filesystem consistency, or a system crash.

Mitigation

Status

The fix has been applied to the Linux kernel, with stable kernel commits addressing the issue [1][2][3][4]. Users should update to a kernel version containing the fix. No workaround is available apart from applying the kernel patch.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.10.1,<6.12.82
    • cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.