#VU124905 Always-Incorrect Control Flow Implementation in Linux kernel - CVE-2026-23465
Published: April 6, 2026
Vulnerability identifier: #VU124905
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23465
CWE-ID: CWE-670
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause data loss.
The vulnerability exists due to improper handling of directory entry logging in btrfs directory logging when logging the parent directory of a conflicting inode during fsync and log replay conditions. A local user can create and remove directories and files and trigger fsync operations to cause data loss.
After a power failure and log replay, newly created directory entries may be missing because the parent directory can be marked as logged without its new dentries being recorded.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/1cf30c73602c69d750c9345c47f2c0e9d0cfb578
- https://git.kernel.org/stable/c/56e72c8b02d982be775d9df025357c152383ee84
- https://git.kernel.org/stable/c/6f5a51969b1deb79aefd2194b48fe7e78e72ff7e
- https://git.kernel.org/stable/c/9573a365ff9ff45da9222d3fe63695ce562beb24
- https://git.kernel.org/stable/c/f556b1e09d054e31f464c0fd37280c2b5a393fee