CVE-2026-23423 PUBLISHED

btrfs: free pages on error in btrfs_uring_read_extent()

Assigner: Linux
Reserved: 13.01.2026 Published: 03.04.2026 Updated: 03.04.2026

In the Linux kernel, the following vulnerability has been resolved:

btrfs: free pages on error in btrfs_uring_read_extent()

In this function the 'pages' object is never freed in the hopes that it is picked up by btrfs_uring_read_finished() whenever that executes in the future. But that's just the happy path. Along the way previous allocations might have gone wrong, or we might not get -EIOCBQUEUED from btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a cleanup section that frees all memory allocated by this function without assuming any deferred execution, and this also needs to happen for the 'pages' allocation.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 34310c442e175f286b4c06ab5caa4e0b267ea31c to d4f210de01eaccac61eee657f676045ef9771d07 (excl.)
  • affected from 34310c442e175f286b4c06ab5caa4e0b267ea31c to 628895890b0c9ac9129129e89455da7db95ba343 (excl.)
  • affected from 34310c442e175f286b4c06ab5caa4e0b267ea31c to 3f501412f2079ca14bf68a18d80a2b7a823f1f64 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.13 is affected
  • unaffected from 0 to 6.13 (excl.)
  • unaffected from 6.18.17 to 6.18.* (incl.)
  • unaffected from 6.19.7 to 6.19.* (incl.)
  • unaffected from 7.0-rc3 to * (incl.)

References