2461485 – (CVE-2026-31666) CVE-2026-31666 kernel: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()

Bug 2461485 (CVE-2026-31666) - CVE-2026-31666 kernel: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()

Summary: CVE-2026-31666 kernel: btrfs: fix incorrect return value after changing leaf ...

Keywords:
Status:	NEW
Alias:	CVE-2026-31666
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-24 15:04 UTC by OSIDB Bzimport
Modified:	2026-04-24 22:31 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-24 15:04:16 UTC

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()

After commit 1618aa3c2e01 ("btrfs: simplify return variables in
lookup_extent_data_ref()"), the err and ret variables were merged into
a single ret variable. However, when btrfs_next_leaf() returns 0
(success), ret is overwritten from -ENOENT to 0. If the first key in
the next leaf does not match (different objectid or type), the function
returns 0 instead of -ENOENT, making the caller believe the lookup
succeeded when it did not. This can lead to operations on the wrong
extent tree item, potentially causing extent tree corruption.

Fix this by returning -ENOENT directly when the key does not match,
instead of relying on the ret variable.

Comment 1 Keith Grant 2026-04-24 22:29:06 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042405-CVE-2026-31666-f817@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.