Always-Incorrect Control Flow Implementation in Linux kernel - CVE-2026-23465
Published: April 6, 2026
Vulnerability identifier: #VU124905
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23465
CWE-ID: CWE-670
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause data loss.
The vulnerability exists due to improper handling of directory entry logging in btrfs directory logging when logging the parent directory of a conflicting inode during fsync and log replay conditions. A local user can create and remove directories and files and trigger fsync operations to cause data loss.
After a power failure and log replay, newly created directory entries may be missing because the parent directory can be marked as logged without its new dentries being recorded.
How to mitigate CVE-2026-23465
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/1cf30c73602c69d750c9345c47f2c0e9d0cfb578
- https://git.kernel.org/stable/c/56e72c8b02d982be775d9df025357c152383ee84
- https://git.kernel.org/stable/c/6f5a51969b1deb79aefd2194b48fe7e78e72ff7e
- https://git.kernel.org/stable/c/9573a365ff9ff45da9222d3fe63695ce562beb24
- https://git.kernel.org/stable/c/f556b1e09d054e31f464c0fd37280c2b5a393fee