CVE-2026-23036 (GCVE-0-2026-23036)

Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-05-11 21:58
VLAI?
Title
btrfs: release path before iget_failed() in btrfs_read_locked_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to the 'out' label with a path that has a read locked leaf and then we call iget_failed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode's mutex, and a task updating a delayed inode starts by taking the node's mutex and then modifying the inode's subvolume btree. Syzbot reported the following lockdep splat for this: ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ btrfs-cleaner/8725 is trying to acquire lock: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 but task is already holding lock: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{4:4}: __lock_release kernel/locking/lockdep.c:5574 [inline] lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline] btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline] __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 -> #0 (&delayed_node->mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutex_lock kernel/locking/mutex.c:760 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iput_final fs/inode.c:1914 [inline] iput+0x95c/0xad4 fs/inode.c:1966 iget_failed+0xec/0x134 fs/bad_inode.c:248 btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 69673992b1aea5540199d9b8b658ede72f55a6cf , < 65241e3ddda60b53a4ee3ae12721fc9ee21d5827 (git)
Affected: 69673992b1aea5540199d9b8b658ede72f55a6cf , < 1e1f2055ad5a7a5d548789b334a4473a7665c418 (git)
Create a notification for this product.
Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65241e3ddda60b53a4ee3ae12721fc9ee21d5827",
              "status": "affected",
              "version": "69673992b1aea5540199d9b8b658ede72f55a6cf",
              "versionType": "git"
            },
            {
              "lessThan": "1e1f2055ad5a7a5d548789b334a4473a7665c418",
              "status": "affected",
              "version": "69673992b1aea5540199d9b8b658ede72f55a6cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\nthe \u0027out\u0027 label with a path that has a read locked leaf and then we call\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\ntriggers inode eviction and that causes the release of the delayed inode,\nwhich must lock the delayed inode\u0027s mutex, and a task updating a delayed\ninode starts by taking the node\u0027s mutex and then modifying the inode\u0027s\nsubvolume btree.\n\nSyzbot reported the following lockdep splat for this:\n\n   ======================================================\n   WARNING: possible circular locking dependency detected\n   syzkaller #0 Not tainted\n   ------------------------------------------------------\n   btrfs-cleaner/8725 is trying to acquire lock:\n   ffff0000d6826a48 (\u0026delayed_node-\u003emutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n\n   but task is already holding lock:\n   ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\n\n   which lock already depends on the new lock.\n\n   the existing dependency chain (in reverse order) is:\n\n   -\u003e #1 (btrfs-tree-00){++++}-{4:4}:\n          __lock_release kernel/locking/lockdep.c:5574 [inline]\n          lock_release+0x198/0x39c kernel/locking/lockdep.c:5889\n          up_read+0x24/0x3c kernel/locking/rwsem.c:1632\n          btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\n          btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\n          btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\n          btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\n          __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\n          btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\n          __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\n          __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\n          btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\n          flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\n          do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\n          btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\n          process_one_work+0x7e8/0x155c kernel/workqueue.c:3263\n          process_scheduled_works kernel/workqueue.c:3346 [inline]\n          worker_thread+0x958/0xed8 kernel/workqueue.c:3427\n          kthread+0x5fc/0x75c kernel/kthread.c:463\n          ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\n\n   -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{4:4}:\n          check_prev_add kernel/locking/lockdep.c:3165 [inline]\n          check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n          validate_chain kernel/locking/lockdep.c:3908 [inline]\n          __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\n          lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\n          __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\n          __mutex_lock kernel/locking/mutex.c:760 [inline]\n          mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\n          __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n          btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\n          btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\n          btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\n          evict+0x414/0x928 fs/inode.c:810\n          iput_final fs/inode.c:1914 [inline]\n          iput+0x95c/0xad4 fs/inode.c:1966\n          iget_failed+0xec/0x134 fs/bad_inode.c:248\n          btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\n          btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\n          btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\n          btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:58:45.739Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418"
        }
      ],
      "title": "btrfs: release path before iget_failed() in btrfs_read_locked_inode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23036",
    "datePublished": "2026-01-31T11:42:30.782Z",
    "dateReserved": "2026-01-13T15:37:45.943Z",
    "dateUpdated": "2026-05-11T21:58:45.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23036",
      "date": "2026-05-18",
      "epss": "0.00012",
      "percentile": "0.01543"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23036\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-31T12:16:06.910\",\"lastModified\":\"2026-02-03T16:44:36.630\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\\n\\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\\nthe \u0027out\u0027 label with a path that has a read locked leaf and then we call\\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\\ntriggers inode eviction and that causes the release of the delayed inode,\\nwhich must lock the delayed inode\u0027s mutex, and a task updating a delayed\\ninode starts by taking the node\u0027s mutex and then modifying the inode\u0027s\\nsubvolume btree.\\n\\nSyzbot reported the following lockdep splat for this:\\n\\n   ======================================================\\n   WARNING: possible circular locking dependency detected\\n   syzkaller #0 Not tainted\\n   ------------------------------------------------------\\n   btrfs-cleaner/8725 is trying to acquire lock:\\n   ffff0000d6826a48 (\u0026delayed_node-\u003emutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\\n\\n   but task is already holding lock:\\n   ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\\n\\n   which lock already depends on the new lock.\\n\\n   the existing dependency chain (in reverse order) is:\\n\\n   -\u003e #1 (btrfs-tree-00){++++}-{4:4}:\\n          __lock_release kernel/locking/lockdep.c:5574 [inline]\\n          lock_release+0x198/0x39c kernel/locking/lockdep.c:5889\\n          up_read+0x24/0x3c kernel/locking/rwsem.c:1632\\n          btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\\n          btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\\n          btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\\n          btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\\n          __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\\n          btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\\n          __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\\n          __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\\n          btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\\n          flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\\n          do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\\n          btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\\n          process_one_work+0x7e8/0x155c kernel/workqueue.c:3263\\n          process_scheduled_works kernel/workqueue.c:3346 [inline]\\n          worker_thread+0x958/0xed8 kernel/workqueue.c:3427\\n          kthread+0x5fc/0x75c kernel/kthread.c:463\\n          ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\\n\\n   -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{4:4}:\\n          check_prev_add kernel/locking/lockdep.c:3165 [inline]\\n          check_prevs_add kernel/locking/lockdep.c:3284 [inline]\\n          validate_chain kernel/locking/lockdep.c:3908 [inline]\\n          __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\\n          lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\\n          __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\\n          __mutex_lock kernel/locking/mutex.c:760 [inline]\\n          mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\\n          __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\\n          btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\\n          btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\\n          btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\\n          evict+0x414/0x928 fs/inode.c:810\\n          iput_final fs/inode.c:1914 [inline]\\n          iput+0x95c/0xad4 fs/inode.c:1966\\n          iget_failed+0xec/0x134 fs/bad_inode.c:248\\n          btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\\n          btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\\n          btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\\n          btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.