HOMEVULNERABILITIESCVE-2026-31519
MEDIUM

CVE-2026-31519

Published: April 22, 2026· Updated: Apr 28, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create

We have recently observed a number of subvolumes with broken dentries.

ls-ing the parent dir looks like:

drwxrwxrwt 1 root root 16 Jan 23 16:49 .

drwxr-xr-x 1 root root 24 Jan 23 16:48 ..

d????????? ? ? ? ? ? broken_subvol

and similarly stat-ing the file fails.

In this state, deleting the subvol fails with ENOENT, but attempting to

create a new file or subvol over it errors out with EEXIST and even

aborts the fs. Which leaves us a bit stuck.

dmesg contains a single notable error message reading:

"could not do orphan cleanup -2"

2 is ENOENT and the error comes from the failure handling path of

btrfs_orphan_cleanup(), with the stack leading back up to

btrfs_lookup().

btrfs_lookup

btrfs_lookup_dentry

btrfs_orphan_cleanup // prints that message and returns -ENOENT

After some detailed inspection of the internal state, it became clear

that:

- there are no orphan items for the subvol

- the subvol is otherwise healthy looking, it is not half-deleted or

anything, there is no drop progress, etc.

- the subvol was created a while ago and does the meaningful first

btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much

later.

- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,

which results in a negative dentry for the subvolume via

d_splice_alias(NULL, dentry), leading to the observed behavior. The

bug can be mitigated by dropping the dentry cache, at which point we

can successfully delete the subvolume if we want.

i.e.,

btrfs_lookup()

btrfs_lookup_dentry()

if (!sb_rdonly(inode->vfs_inode)->vfs_inode)

btrfs_orphan_cleanup(sub_root)

test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)

btrfs_search_slot() // finds orphan item for inode N

...

prints "could not do orphan cleanup -2"

if (inode == ERR_PTR(-ENOENT))

inode = NULL;

return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume

btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)

on the root when it runs, so it cannot run more than once on a given

root, so something else must run concurrently. However, the obvious

routes to deleting an orphan when nlinks goes to 0 should not be able to

run without first doing a lookup into the subvolume, which should run

btrfs_orphan_cleanup() and set the bit.

The final important observation is that create_subvol() calls

d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if

the dentry cache gets dropped, the next lookup into the subvolume will

make a real call into btrfs_orphan_cleanup() for the first time. This

opens up the possibility of concurrently deleting the inode/orphan items

but most typical evict() paths will be holding a reference on the parent

dentry (child dentry holds parent->d_lockref.count via dget in

d_alloc(), released in __dentry_kill()) and prevent the parent from

being removed from the dentry cache.

The one exception is delayed iputs. Ordered extent creation calls

igrab() on the inode. If the file is unlinked and closed while those

refs are held, iput() in __dentry_kill() decrements i_count but does

not trigger eviction (i_count > 0). The child dentry is freed and the

subvol dentry's d_lockref.count drops to 0, making it evictable while

the inode is still alive.

Since there are two races (the race between writeback and unlink and

the race between lookup and delayed iputs), and there are too many moving

parts, the following three diagrams show the complete picture.

(Only the second and third are races)

Phase 1:

Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set

btrfs_mksubvol()

lookup_one_len()

__lookup_slow()

d_alloc_parallel()

__d_alloc() // d_lockref.count = 1

create_subvol(dentry)

// doesn't touch the bit..

d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c

---truncated---

NVD Source

Technical Analysis

CVE-2026-31519 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (6)

Quick Facts

CVE IDCVE-2026-31519
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31519 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.