CVE ID : CVE-2026-23214<\/p>\n
Published : Feb. 18, 2026, 2:21 p.m. | 38\u00a0minutes ago<\/p>\n
Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n
btrfs: reject new transactions if the fs is fully read-only<\/p>\n[BUG]\nThere is a bug report where a heavily fuzzed fs is mounted with all
\nrescue mount options, which leads to the following warnings during
\nunmount:<\/p>\n
BTRFS: Transaction aborted (error -22)
\n Modules linked in:
\n CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted
\n 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)
\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04\/01\/2014
\n RIP: 0010:find_free_extent_update_loop fs\/btrfs\/extent-tree.c:4208 [inline]\n RIP: 0010:find_free_extent+0x52f0\/0x5d20 fs\/btrfs\/extent-tree.c:4611
\n Call Trace:<\/p>\n
btrfs_reserve_extent+0x2cd\/0x790 fs\/btrfs\/extent-tree.c:4705
\n btrfs_alloc_tree_block+0x1e1\/0x10e0 fs\/btrfs\/extent-tree.c:5157
\n btrfs_force_cow_block+0x578\/0x2410 fs\/btrfs\/ctree.c:517
\n btrfs_cow_block+0x3c4\/0xa80 fs\/btrfs\/ctree.c:708
\n btrfs_search_slot+0xcad\/0x2b50 fs\/btrfs\/ctree.c:2130
\n btrfs_truncate_inode_items+0x45d\/0x2350 fs\/btrfs\/inode-item.c:499
\n btrfs_evict_inode+0x923\/0xe70 fs\/btrfs\/inode.c:5628
\n evict+0x5f4\/0xae0 fs\/inode.c:837
\n __dentry_kill+0x209\/0x660 fs\/dcache.c:670
\n finish_dput+0xc9\/0x480 fs\/dcache.c:879
\n shrink_dcache_for_umount+0xa0\/0x170 fs\/dcache.c:1661
\n generic_shutdown_super+0x67\/0x2c0 fs\/super.c:621
\n kill_anon_super+0x3b\/0x70 fs\/super.c:1289
\n btrfs_kill_super+0x41\/0x50 fs\/btrfs\/super.c:2127
\n deactivate_locked_super+0xbc\/0x130 fs\/super.c:474
\n cleanup_mnt+0x425\/0x4c0 fs\/namespace.c:1318
\n task_work_run+0x1d4\/0x260 kernel\/task_work.c:233
\n exit_task_work include\/linux\/task_work.h:40 [inline]\n do_exit+0x694\/0x22f0 kernel\/exit.c:971
\n do_group_exit+0x21c\/0x2d0 kernel\/exit.c:1112
\n __do_sys_exit_group kernel\/exit.c:1123 [inline]\n __se_sys_exit_group kernel\/exit.c:1121 [inline]\n __x64_sys_exit_group+0x3f\/0x40 kernel\/exit.c:1121
\n x64_sys_call+0x2210\/0x2210 arch\/x86\/include\/generated\/asm\/syscalls_64.h:232
\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xe8\/0xf80 arch\/x86\/entry\/syscall_64.c:94
\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f
\n RIP: 0033:0x44f639
\n Code: Unable to access opcode bytes at 0x44f60f.
\n RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
\n RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639
\n RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
\n RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0
\n R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001<\/p>\n
Since rescue mount options will mark the full fs read-only, there should
\nbe no new transaction triggered.<\/p>\n
But during unmount we will evict all inodes, which can trigger a new
\ntransaction, and triggers warnings on a heavily corrupted fs.<\/p>\n[CAUSE]\nBtrfs allows new transaction even on a read-only fs, this is to allow
\nlog replay happen even on read-only mounts, just like what ext4\/xfs do.<\/p>\n
However with rescue mount options, the fs is fully read-only and cannot
\nbe remounted read-write, thus in that case we should also reject any new
\ntransactions.<\/p>\n[FIX]\nIf we find the fs has rescue mount options, we should treat the fs as
\nerror, so that no new transaction can be started.<\/p>\n
Severity: 0.0 | NA<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID : CVE-2026-23214 Published : Feb. 18, 2026, 2:21 p.m. | 38\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: btrfs: reject new transactions if the fs is fully read-only [BUG] There is a bug report where a heavily fuzzed fs is mounted with all rescue mount options, which …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-77378","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=77378"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77378\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=77378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=77378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=77378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}