CVE-2026-31519

Home/CVE/In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol

CVE

In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol

In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root 16 Jan 23 16:49 . drwxr-xr-x 1 root 24 Jan 23 16:48 .. d????????? ? broken_subvol and similarly stat-ing the file fails. In this state, deleting the subvol fails with ENOENT, but attempting to create a new file or subvol over it errors out with EEXIST and even aborts the fs. Which leaves us a bit stuck. dmesg contains a single notable error message reading: "could not do orphan cleanup -2" 2 is ENOENT and the error comes from the failure handling path of btrfs_orphan_cleanup(), with the stack leading back up to btrfs_lookup(). btrfs_lookup btrfs_lookup_dentry btrfs_orphan_cleanup // prints that message and returns -ENOENT After some detailed inspection of the internal state, it became clear that: - there are no orphan items for the subvol - the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc. - the subvol was created a while ago and does the meaningful first btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much later. - after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT, which results in a negative dentry for the subvolume via d_splice_alias(NULL, dentry), leading to the observed behavior.

The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want. i.e., btrfs_lookup() btrfs_lookup_dentry() if (!sb_rdonly(inode-vfs_inode)-vfs_inode) btrfs_orphan_cleanup(sub_root) test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) btrfs_search_slot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERR_PTR(-ENOENT)) inode = NULL; return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) on the root when it runs, so it cannot run more than once on a given root, so something else must run concurrently. However, the obvious routes to deleting an orphan when nlinks goes to 0 should not be able to run without first doing a lookup into the subvolume, which should run btrfs_orphan_cleanup() and set the bit. The final important observation is that create_subvol() calls d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if the dentry cache gets dropped, the next lookup into the subvolume will make a real call into btrfs_orphan_cleanup() for the first time.

This opens up the possibility of concurrently deleting the inode/orphan items but most typical evict() paths will be holding a reference on the parent dentry (child dentry holds parent-d_lockref.count via dget in d_alloc(), released in __dentry_kill()) and prevent the parent from being removed from the dentry cache. The one exception is delayed iputs. Ordered extent creation calls igrab() on the inode.

If the file is unlinked and closed while those refs are held, iput() in __dentry_kill() decrements i_count but does not trigger eviction (i_count > 0). The child dentry is freed and the subvol dentry's d_lockref.count drops to 0, making it evictable while the inode is still alive. Since there are two races (the race between writeback and unlink and the race between lookup and delayed iputs), and there are too many moving parts, the following three diagrams show the complete picture.

(Only the second and third are races) Phase 1: Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set btrfs_mksubvol() lookup_one_len() __lookup_slow() d_alloc_parallel() __d_alloc() // d_lockref.count = 1 create_subvol(dentry) // doesn't touch the bit.. d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c ---truncated---.

MEDIUM · CVSS 5.5 EPSS 0.00015

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2026-31519, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2026-31519

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1068 · Exploitation for Privilege Escalation

▤ Build a SIEM detection for these techniques

⬡

Weakness Classification

CWE-476NULL Pointer Dereference

▤

Affected Products & Versions

linux kernel>= 2.6.32.19 and < 2.6.33
linux kernel>= 2.6.33 and < 6.1.168
linux kernel>= 6.2 and < 6.6.131
linux kernel>= 6.7 and < 6.12.80
linux kernel>= 6.13 and < 6.18.21
linux kernel>= 6.19 and < 6.19.11
linux kernelall versions

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
suse sle15cluster-md-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15dlm-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15gfs2-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15kernel-64kb fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-azure fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-default fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-default-base fixed in 0:6.4.0-150700.53.55.1.150700.17.33.1
suse sle15kernel-default-extra fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-docs fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-livepatch-6_4_0-150700_7_54-rt fixed in 0:1-150700.1.3.1
suse sle15kernel-macros fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-obs-build fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15kernel-source fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-source-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15kernel-syms fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-syms-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15kernel-zfcpdump fixed in 0:6.4.0-150700.53.55.1
suse sle15ocfs2-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15reiserfs-kmp-default fixed in 0:6.4.0-150700.53.55.1

▣

Scoring & Timeline

5.5

MEDIUM · CVSS v3.1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD22 Apr 2026 · 02:16 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

⚑

Vendor Advisories

suse-csafSUSE-SU-2026:2238-1
suse-csafSUSE-SU-2026:2217-1
suse-csafSUSE-SU-2026:21876-1
suse-csafSUSE-SU-2026:21877-1
suse-csafSUSE-SU-2026:21916-1
Show all 11 vendor advisoriessuse-csafSUSE-SU-2026:21919-1
suse-csafopenSUSE-SU-2026:20826-1
suse-csafSUSE-SU-2026:21841-1
suse-csafSUSE-SU-2026:21845-1
suse-csafSUSE-SU-2026:21860-1
msrcCVE-2026-31519

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://git.kernel.org/stable/c/2ec578e6452138ab76f6c9a9c18711fcd197649fPatch

https://git.kernel.org/stable/c/5131fa077f9bb386a1b901bf5b247041f0ec8f80Patch

https://git.kernel.org/stable/c/696683f214495db3cdacab9a713efaaced8660f8Patch

https://git.kernel.org/stable/c/a41a9b8d19a98b45591528c6e54d31cc66271d1ePatch

https://git.kernel.org/stable/c/c57276ced3c3207f42182dfa2f0d8e860357e111Patch

https://git.kernel.org/stable/c/d43da8de0ed376abafbad8a245a1835e8f66cb0fPatch