HOMEVULNERABILITIESCVE-2026-23181
NONE

CVE-2026-23181

Published: February 14, 2026· Updated: Feb 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: sync read disk super and set block size

When the user performs a btrfs mount, the block device is not set

correctly. The user sets the block size of the block device to 0x4000

by executing the BLKBSZSET command.

Since the block size change also changes the mapping->flags value, this

further affects the result of the mapping_min_folio_order() calculation.

Let's analyze the following two scenarios:

Scenario 1: Without executing the BLKBSZSET command, the block size is

0x1000, and mapping_min_folio_order() returns 0;

Scenario 2: After executing the BLKBSZSET command, the block size is

0x4000, and mapping_min_folio_order() returns 2.

do_read_cache_folio() allocates a folio before the BLKBSZSET command

is executed. This results in the allocated folio having an order value

of 0. Later, after BLKBSZSET is executed, the block size increases to

0x4000, and the mapping_min_folio_order() calculation result becomes 2.

This leads to two undesirable consequences:

1. filemap_add_folio() triggers a VM_BUG_ON_FOLIO(folio_order(folio) <

mapping_min_folio_order(mapping)) assertion.

2. The syzbot report [1] shows a null pointer dereference in

create_empty_buffers() due to a buffer head allocation failure.

Synchronization should be established based on the inode between the

BLKBSZSET command and read cache page to prevent inconsistencies in

block size or mapping flags before and after folio allocation.

[1]

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]

RIP: 0010:create_empty_buffers+0x4d/0x480 fs/buffer.c:1694

Call Trace:

folio_create_buffers+0x109/0x150 fs/buffer.c:1802

block_read_full_folio+0x14c/0x850 fs/buffer.c:2403

filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496

do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096

do_read_cache_page mm/filemap.c:4162 [inline]

read_cache_page_gfp+0x29/0x120 mm/filemap.c:4195

btrfs_read_disk_super+0x192/0x500 fs/btrfs/volumes.c:1367

NVD Source

Technical Analysis

CVE-2026-23181 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-23181
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedFeb 14, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23181 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.