{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create",
    "id" : "2460617",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460617"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-367",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create\nWe have recently observed a number of subvolumes with broken dentries.\nls-ing the parent dir looks like:\ndrwxrwxrwt 1 root root 16 Jan 23 16:49 .\ndrwxr-xr-x 1 root root 24 Jan 23 16:48 ..\nd????????? ? ?    ?     ?            ? broken_subvol\nand similarly stat-ing the file fails.\nIn this state, deleting the subvol fails with ENOENT, but attempting to\ncreate a new file or subvol over it errors out with EEXIST and even\naborts the fs. Which leaves us a bit stuck.\ndmesg contains a single notable error message reading:\n\"could not do orphan cleanup -2\"\n2 is ENOENT and the error comes from the failure handling path of\nbtrfs_orphan_cleanup(), with the stack leading back up to\nbtrfs_lookup().\nbtrfs_lookup\nbtrfs_lookup_dentry\nbtrfs_orphan_cleanup // prints that message and returns -ENOENT\nAfter some detailed inspection of the internal state, it became clear\nthat:\n- there are no orphan items for the subvol\n- the subvol is otherwise healthy looking, it is not half-deleted or\nanything, there is no drop progress, etc.\n- the subvol was created a while ago and does the meaningful first\nbtrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much\nlater.\n- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,\nwhich results in a negative dentry for the subvolume via\nd_splice_alias(NULL, dentry), leading to the observed behavior. The\nbug can be mitigated by dropping the dentry cache, at which point we\ncan successfully delete the subvolume if we want.\ni.e.,\nbtrfs_lookup()\nbtrfs_lookup_dentry()\nif (!sb_rdonly(inode->vfs_inode)->vfs_inode)\nbtrfs_orphan_cleanup(sub_root)\ntest_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\nbtrfs_search_slot() // finds orphan item for inode N\n...\nprints \"could not do orphan cleanup -2\"\nif (inode == ERR_PTR(-ENOENT))\ninode = NULL;\nreturn d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume\nbtrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\non the root when it runs, so it cannot run more than once on a given\nroot, so something else must run concurrently. However, the obvious\nroutes to deleting an orphan when nlinks goes to 0 should not be able to\nrun without first doing a lookup into the subvolume, which should run\nbtrfs_orphan_cleanup() and set the bit.\nThe final important observation is that create_subvol() calls\nd_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if\nthe dentry cache gets dropped, the next lookup into the subvolume will\nmake a real call into btrfs_orphan_cleanup() for the first time. This\nopens up the possibility of concurrently deleting the inode/orphan items\nbut most typical evict() paths will be holding a reference on the parent\ndentry (child dentry holds parent->d_lockref.count via dget in\nd_alloc(), released in __dentry_kill()) and prevent the parent from\nbeing removed from the dentry cache.\nThe one exception is delayed iputs. Ordered extent creation calls\nigrab() on the inode. If the file is unlinked and closed while those\nrefs are held, iput() in __dentry_kill() decrements i_count but does\nnot trigger eviction (i_count > 0). The child dentry is freed and the\nsubvol dentry's d_lockref.count drops to 0, making it evictable while\nthe inode is still alive.\nSince there are two races (the race between writeback and unlink and\nthe race between lookup and delayed iputs), and there are too many moving\nparts, the following three diagrams show the complete picture.\n(Only the second and third are races)\nPhase 1:\nCreate Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set\nbtrfs_mksubvol()\nlookup_one_len()\n__lookup_slow()\nd_alloc_parallel()\n__d_alloc() // d_lockref.count = 1\ncreate_subvol(dentry)\n// doesn't touch the bit..\nd_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c\n---truncated---", "A flaw was found in the Linux kernel's Btrfs filesystem. A race condition, a situation where the outcome depends on the sequence or timing of uncontrollable events, can occur during the creation and cleanup of subvolumes. This can result in a valid subvolume being incorrectly marked as a broken entry in the directory cache, preventing its deletion or the creation of new data in its location. This issue can lead to a denial of service, potentially causing the filesystem to become unresponsive or abort." ],
  "statement" : "Setting `BTRFS_ROOT_ORPHAN_CLEANUP` during `create_subvol()` closes the race where the first real orphan cleanup could fail with `-ENOENT` and splice a negative dentry for a healthy subvolume. Red Hat advises Btrfs users to take patched kernels for metadata reliability. Unload/use avoidance of `btrfs` is rarely practical where the root fs is btrfs.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31519\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31519\nhttps://lore.kernel.org/linux-cve-announce/2026042211-CVE-2026-31519-fdd6@gregkh/T" ],
  "name" : "CVE-2026-31519",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the btrfs module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}