CVE-2026-46251
Description
Linux kernel btrfs subsystem corruption due to incorrect block group tree handling when EXTENT_TREE_V2 is enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel btrfs subsystem corruption due to incorrect block group tree handling when EXTENT_TREE_V2 is enabled.
Vulnerability
The Linux kernel's btrfs filesystem is vulnerable to data corruption when the EXTENT_TREE_V2 incompat flag is set. The block group tree is incorrectly added to the switch_commits list before switch_commit_roots is called. This leads to corruption of the dirty_list members of the block group root if a block group is allocated and dirtied in a transaction, as it is already linked to a list via dirty_list [1].
Exploitation
An attacker would need to trigger a transaction that involves allocating and dirtying a block group within the btrfs filesystem while the EXTENT_TREE_V2 flag is active. This could potentially occur during normal filesystem operations or through specific malicious actions that manipulate filesystem structures. The corruption is detected when CONFIG_DEBUG_LIST is enabled, during a subsequent list_del operation [1].
Impact
Successful exploitation of this vulnerability can lead to corruption of the btrfs filesystem's internal data structures. This corruption can manifest as a list_del corruption warning, potentially leading to data loss, filesystem instability, or denial of service. The exact impact depends on which data structures are affected by the dirty_list corruption [1].
Mitigation
This vulnerability has been resolved in the Linux kernel. The fix is available in the kernel version corresponding to the commit 201091da34c4f113af6b4a7407091c39bf29d4ca [1]. Users should update to a patched kernel version. No workarounds are described in the available references, and there is no information on EOL status or KEV listing.
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
123a1f4264daedbtrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 8aa55cd8a0bf8..0b2498749b1e4 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2508,13 +2508,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
e3d1fd084319btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index ce1e5b5dae3a0..6dbbb03be562f 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2457,13 +2457,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
4eb830847d84btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 7371a3c0bdede..b7679f3399407 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2487,13 +2487,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
6e10283b5519btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index b22b8e68672c1..6d1113dc2abf2 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2450,13 +2450,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
80e1fda9c084btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 041f4781956cf..b537bba767806 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2484,13 +2484,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
201091da34c4btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index bd03f465e2d3e..e3e0d88d53476 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2500,13 +2500,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
3a1f4264daedbtrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 8aa55cd8a0bf8..0b2498749b1e4 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2508,13 +2508,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
6e10283b5519btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index b22b8e68672c1..6d1113dc2abf2 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2450,13 +2450,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
80e1fda9c084btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 041f4781956cf..b537bba767806 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2484,13 +2484,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
e3d1fd084319btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index ce1e5b5dae3a0..6dbbb03be562f 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2457,13 +2457,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
201091da34c4btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index bd03f465e2d3e..e3e0d88d53476 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2500,13 +2500,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
4eb830847d84btrfs: fix block_group_tree dirty_list corruption
1 file changed · +0 −8
fs/btrfs/transaction.c+0 −8 modifieddiff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 7371a3c0bdede..b7679f3399407 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2487,13 +2487,6 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) list_add_tail(&fs_info->chunk_root->dirty_list, &cur_trans->switch_commits); - if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) { - btrfs_set_root_node(&fs_info->block_group_root->root_item, - fs_info->block_group_root->node); - list_add_tail(&fs_info->block_group_root->dirty_list, - &cur_trans->switch_commits); - } - switch_commit_roots(trans); ASSERT(list_empty(&cur_trans->dirty_bgs)); -- cgit 1.3-korg
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- git.kernel.org/stable/c/201091da34c4f113af6b4a7407091c39bf29d4canvd
- git.kernel.org/stable/c/3a1f4264daed4b419c325a7fe35e756cada3cf82nvd
- git.kernel.org/stable/c/4eb830847d84276f1c8ea46541cfeeedaba1fb63nvd
- git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3nvd
- git.kernel.org/stable/c/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4nvd
- git.kernel.org/stable/c/e3d1fd084319f8f0830b22f014c7af6a96b4497bnvd
News mentions
2- Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two BatchesVypr Intelligence · Jun 3, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026