Cyber Resilience

CVE-2026-31666

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31666 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31666 is a vulnerability in the Linux kernel's BTRFS filesystem, affecting the lookup_extent_data_ref() function. Following commit 1618aa3c2e01, which merged error variables into a single ret variable, the function incorrectly overwrites -ENOENT with 0 upon successful btrfs_next_leaf() calls. If the first key in the next leaf mismatches (different objectid or type), it returns 0 instead of -ENOENT, causing callers to operate on incorrect extent tree items and potentially leading to extent tree corruption. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows operations on the wrong extent tree item, enabling high-impact confidentiality, integrity, and availability violations, such as extent tree corruption that could result in data loss or filesystem instability.

Mitigation requires updating to patched Linux kernel stable versions via the provided commit fixes: 316fb1b3169efb081d2db910cbbfef445afa03b9, 4125a194db4a6cf91f619f38788272651cb97dce, 450e6a685d0cad95b15f8af152057bd0bf79f50b, and ab1e022379c3c811aa72da8eb0c7507859a1d0f5. These patches ensure -ENOENT is returned directly on key mismatches rather than relying on the ret variable.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret…

more

variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Local kernel BTRFS logic error allows low-privileged attacker to trigger operations on incorrect extent items, directly enabling privilege escalation via kernel context abuse (T1068) and deliberate metadata corruption for data destruction or stored data manipulation (T1485, T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23233Same product: Linux Linux Kernel
CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.10, 7.0 · 6.10.1 — 6.12.82 · 6.13 — 6.18.23 · 6.19 — 6.19.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the Linux kernel to fix the incorrect return value logic in btrfs lookup_extent_data_ref(), preventing callers from operating on wrong extent tree items and avoiding corruption.

detect

Enables vulnerability scanning to identify systems running unpatched Linux kernel versions vulnerable to CVE-2026-31666.

prevent

Requires robust error handling to ensure proper propagation of errors like -ENOENT mismatches in btrfs_next_leaf(), mitigating operations on incorrect extent items.

References