{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T07:37:02.652","vulnerabilities":[{"cve":{"id":"CVE-2024-26644","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-03-26T16:15:12.137","lastModified":"2025-07-17T17:15:33.783","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\n\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\n\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\n\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\n\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: no aborte el sistema de archivos al intentar crear una instantánea del subvolumen eliminado. Si el descriptor del archivo fuente de la instantánea ioctl se refiere a un subvolumen eliminado, obtenemos la siguiente cancelación: BTRFS: transacción abortada (error -2) ADVERTENCIA: CPU: 0 PID: 833 en fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] Módulos vinculados en: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833 Comm: t_snapshot_dele No contaminado 6.7.0-rc6 #2 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 01/04/2014 RIP: 0010:create_pending_snapshot +0x1040/0x1190 [btrfs] RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99 827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08: 00000000000000000 R09: ffffa09c01337998 R10: 000000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:000000000000 0000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 Rastreo de llamadas: &lt; TAREA&gt; ? create_pending_snapshot+0x1040/0x1190 [btrfs]? __advertir+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs]? report_bug+0x171/0x1a0? handle_bug+0x3a/0x70? exc_invalid_op+0x17/0x70? asm_exc_invalid_op+0x1a/0x20? create_pending_snapshot+0x1040/0x1190 [btrfs]? create_pending_snapshot+0x1040/0x1190 [btrfs] create_pending_snapshots+0x92/0xc0 [btrfs] btrfs_commit_transaction+0x66b/0xf40 [btrfs] btrfs_mksubvol+0x301/0x4d0 [btrfs] btrfs_mksnapshot+0x8 0/0xb0 [btrfs] __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] btrfs_ioctl_snap_create_v2+ 0xc4/0x150 [btrfs] btrfs_ioctl+0x8a6/0x2650 [btrfs] ? kmem_cache_free+0x22/0x340? do_sys_openat2+0x97/0xe0 __x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP: 002b:00007ffe6eff13 60 EFLAGS: 00000246 ORIG_RAX: 00000000000000010 RAX: ffffffffffffffda RBX: 00000000000000004 RCX: 00007fe20abe83af RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10: 0000000000000000 R11: 00 00000000000246 R12: 0000000000000000 R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58  ---[ final de seguimiento 0000000000000000 ]--- BTRFS: error ( dispositivo vdc: estado A) en create_pending_snapshot:1875: errno=-2 No existe tal entrada Información BTRFS (dispositivo vdc: estado EA): solo lectura forzada Advertencia BTRFS (dispositivo vdc: estado EA): omitir confirmación de transacción abortada. BTRFS: error (dispositivo vdc: estado EA) en cleanup_transaction:2055: errno=-2 No existe tal entrada. Esto sucede porque create_pending_snapshot() inicializa el nuevo elemento raíz como una copia del elemento raíz de origen. Esto incluye el campo de referencias, que es 0 para un subvolumen eliminado. Por lo tanto, la llamada a btrfs_insert_root() inserta una raíz con refs == 0. btrfs_get_new_fs_root() luego encuentra la raíz y devuelve -ENOENT si refs == 0, lo que hace que create_pending_snapshot() aborte. Solucionelo verificando las referencias de la raíz de origen antes de intentar la instantánea, pero después de bloquear subvol_sem para evitar correr con la eliminación."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-908"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.210","matchCriteriaId":"24443040-F8E0-445D-8395-40A94214526C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.149","matchCriteriaId":"0D0465BB-4053-4E15-9137-6696EBAE90FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.76","matchCriteriaId":"32F0FEB3-5FE1-4400-A56D-886F09BE872E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.15","matchCriteriaId":"87C718CB-AE3D-4B07-B4D9-BFF64183C468"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.3","matchCriteriaId":"58FD5308-148A-40D3-B36A-0CA6B434A8BF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*","matchCriteriaId":"B9F4EA73-0894-400F-A490-3A397AB7A517"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c06941564027bdbc01d2df7f41e333c11cb0482d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}