Security Vulnerability Report
中文
CVE-2026-23250 CVSS 5.5 MEDIUM

CVE-2026-23250

Published: 2026-03-18 18:16:23
Last Modified: 2026-05-21 18:32:11
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: xfs: check return value of xchk_scrub_create_subord Fix this function to return NULL instead of a mangled ENOMEM, then fix the callers to actually check for a null pointer and return ENOMEM. Most of the corrections here are for code merged between 6.2 and 6.10.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel 6.2.x
Linux Kernel 6.3.x
Linux Kernel 6.4.x
Linux Kernel 6.5.x
Linux Kernel 6.6.x
Linux Kernel 6.7.x
Linux Kernel 6.8.x
Linux Kernel 6.9.x
Linux Kernel 6.10.x (merged code affected)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2026-23250 PoC - XFS scrub function NULL pointer issue * This is a conceptual PoC demonstrating the vulnerability trigger * Requires: Local access, ability to mount XFS filesystem */ #include <stdio.h> #include <stdlib.h> #include <string.h> /* Simulated vulnerable function behavior */ void* xchk_scrub_create_subord_vuln(int memory_available) { void *ptr = NULL; /* Simulate memory allocation failure scenario */ if (!memory_available) { /* VULNERABLE: Returns mangled ENOMEM instead of NULL */ return (void*)-ENOMEM; /* Should return NULL */ } ptr = malloc(1024); return ptr; } /* Vulnerable caller that doesn't check properly */ int caller_vuln(int memory_available) { void *subord = xchk_scrub_create_subord_vuln(memory_available); /* VULNERABLE: Only checks for NULL, not for error values */ if (subord == NULL) { return -ENOMEM; } /* This code path is reached with mangled return value */ /* leading to potential NULL pointer dereference */ memset(subord, 0, 1024); /* Undefined behavior */ return 0; } /* Fixed version */ void* xchk_scrub_create_subord_fixed(int memory_available) { void *ptr = NULL; if (!memory_available) { /* FIXED: Properly return NULL on ENOMEM */ return NULL; } ptr = malloc(1024); return ptr; } int main() { printf("CVE-2026-23250 PoC - XFS xchk_scrub_create_subord\n"); printf("Trigger condition: Memory pressure during XFS scrub operation\n"); printf("Impact: System crash / Denial of Service\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23250", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T18:16:22.950", "lastModified": "2026-05-21T18:32:11.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check return value of xchk_scrub_create_subord\n\nFix this function to return NULL instead of a mangled ENOMEM, then fix\nthe callers to actually check for a null pointer and return ENOMEM.\nMost of the corrections here are for code merged between 6.2 and 6.10."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nxfs: comprobar el valor de retorno de xchk_scrub_create_subord\n\nCorregir esta función para que devuelva NULL en lugar de un ENOMEM corrupto, luego corregir a los llamadores para que realmente comprueben si hay un puntero nulo y devuelvan ENOMEM. La mayoría de las correcciones aquí son para código fusionado entre 6.2 y 6.10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.75", "matchCriteriaId": "CB67FC73-CF7B-41DB-A5A5-423C53BE93EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2b658d1249666cc55af9484dcf5f45ca438d4ecc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b2df809edd8cb7d1c3e19d9f6aabc2bd55d2bfb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ca27313fb3f23e4ac18532ede4ec1c7cc5814c4a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d6f3f7d4dd8a179394cef03c00993d57f5f68601", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.