{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: xfs: only call xf{array,blob}_destroy if we have a valid pointer",
    "id" : "2448710",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448710"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxfs: only call xf{array,blob}_destroy if we have a valid pointer\nOnly call the xfarray and xfblob destructor if we have a valid pointer,\nand be sure to null out that pointer afterwards.  Note that this patch\nfixes a large number of commits, most of which were merged between 6.9\nand 6.10.", "A NULL pointer dereference vulnerability was found in the Linux kernel's XFS filesystem. The xfarray_destroy() and xfblob_destroy() functions are called without checking if the pointer is valid. When these destructors are invoked on NULL pointers during cleanup paths, a kernel crash occurs. The fix adds NULL checks before calling the destructors and nullifies the pointers afterward to prevent double-free issues." ],
  "statement" : "This flaw affects XFS filesystems in kernels between 6.9 and 6.10 where the xfarray and xfblob infrastructure was introduced for online repair functionality. The NULL pointer dereference occurs in error handling and cleanup paths. While this can cause a kernel crash, exploitation requires triggering specific error conditions in XFS scrub/repair operations.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23251\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23251\nhttps://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/T" ],
  "name" : "CVE-2026-23251",
  "csaw" : false
}