CVE-2026-31666
Published: 24 April 2026
Summary
CVE-2026-31666 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31666 is a vulnerability in the Linux kernel's BTRFS filesystem, affecting the lookup_extent_data_ref() function. Following commit 1618aa3c2e01, which merged error variables into a single ret variable, the function incorrectly overwrites -ENOENT with 0 upon successful btrfs_next_leaf() calls. If the first key in the next leaf mismatches (different objectid or type), it returns 0 instead of -ENOENT, causing callers to operate on incorrect extent tree items and potentially leading to extent tree corruption. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows operations on the wrong extent tree item, enabling high-impact confidentiality, integrity, and availability violations, such as extent tree corruption that could result in data loss or filesystem instability.
Mitigation requires updating to patched Linux kernel stable versions via the provided commit fixes: 316fb1b3169efb081d2db910cbbfef445afa03b9, 4125a194db4a6cf91f619f38788272651cb97dce, 450e6a685d0cad95b15f8af152057bd0bf79f50b, and ab1e022379c3c811aa72da8eb0c7507859a1d0f5. These patches ensure -ENOENT is returned directly on key mismatches rather than relying on the ret variable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25559
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret…
more
variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel BTRFS logic error allows low-privileged attacker to trigger operations on incorrect extent items, directly enabling privilege escalation via kernel context abuse (T1068) and deliberate metadata corruption for data destruction or stored data manipulation (T1485, T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the Linux kernel to fix the incorrect return value logic in btrfs lookup_extent_data_ref(), preventing callers from operating on wrong extent tree items and avoiding corruption.
Enables vulnerability scanning to identify systems running unpatched Linux kernel versions vulnerable to CVE-2026-31666.
Requires robust error handling to ensure proper propagation of errors like -ENOENT mismatches in btrfs_next_leaf(), mitigating operations on incorrect extent items.