VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 8, 2026

CVE-2026-43118

CVE-2026-43118

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix zero size inode with non-zero size after log replay

When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don't log extents).

This works fine except when we have already logged an inode in full mode or it's the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode's i_size to 0 (in overwrite_item()).

An example scenario:

mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo

sync

xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo

ln /mnt/dir/foo /mnt/dir/bar

xfs_io -c "fsync" /mnt/dir

<power fail>

After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode's i_size from 64K to 0.

Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size.

A test case for fstests will follow soon.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A btrfs log replay bug can leave a truncated file with its old non-zero size after a power failure, bypassing the expected i_size update.

Root

Cause

When btrfs logs an inode in "exists" mode (e.g., when creating a new hardlink or renaming), it always writes a generation of 0 for the inode item. This is intended to signal log replay to preserve the inode's i_size from the subvolume tree, since extents are not logged in exists mode. However, if the inode was previously logged in full mode with a new i_size of 0 (e.g., by an fsync of a truncated file), the subsequent exists-mode log preserves the generation of 0 but also stores an i_size of 0. During log replay, overwrite_item() sees generation 0 and interprets the zero i_size as a signal to skip the i_size update, leaving the file with its old non-zero size. The fix ensures that the real inode generation is logged when the i_size has already been updated in the current transaction, and that exists-mode logs carry the correct i_size from the commit root when the inode was created in a prior transaction [1].

Exploitation

The vulnerability is exploitable only locally and requires a specific sequence of operations on a btrfs filesystem: creating a file, writing data, syncing, truncating to zero, fsyncing, creating a hardlink, another fsync on the directory, and finally a power failure or crash. After reboot, log replay will incorrectly restore the file to its pre-truncation size (64 KiB in the reported scenario) instead of the expected zero. No special privileges beyond write access to a btrfs mount are needed.

Impact

A successful exploit causes a file to retain stale data after an explicit truncate-to-zero and fsync followed by a crash. This is a data integrity violation: the file's on-disk size does not match the latest committed metadata. An attacker with local access could deliberately craft this sequence to expose previously written data that the owner believed was discarded. The CVSS v3 score is 5.5 (Medium), reflecting the need for local access and specific prior operations.

Mitigation

The Linux kernel has released stable patches that correct the generation and i_size handling during log replay. Users should apply the patch identified by commit fddb157536e67a055597f00a8b4922d5f5ed0826 (or equivalent backports) [2]. The fix appears in both the mainline and stable kernel series; there is no workaround other than avoiding the problematic combination of operations or upgrading to a patched kernel.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Linux/Kernel6 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.30,<6.18.24
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
  • btrfs/btrfsllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

1