CVE-2026-46160

MEDIUMNVD 5.55.5
EchelonGraph scoreMEDIUM confidence

Score 5.5 from GitHub Security Advisory published 2026-05-28. NVD baseline CVSS 5.5; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
Trending — 4 sources updated this week
5.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 5.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix missing last_unlink_trans update when removing a directory

When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.

Example scenario:

mkdir /mnt/dir1 mkdir /mnt/dir1/dir2 mkdir /mnt/dir3

sync -f /mnt

# Do some change to the directory and fsync it. chmod 700 /mnt/dir1 xfs_io -c fsync /mnt/dir1

# Move dir2 out of dir1 so that dir1 becomes empty. mv /mnt/dir1/dir2 /mnt/dir3/

open fd on /mnt/dir1 call rmdir(2) on path "/mnt/dir1" fsync fd

When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:

[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm [445771.627912] BTRFS info (device dm-0): start tree-log replay [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 [445771.629453] memcg:ffff89f400351b00 [445771.629892] aops:btree_aops [btrfs] ino:1 [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 [445771.635029] page dumped because: eb page dump [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 [445771.638100] rdev 0 sequence 2 flags 0x0 [445771.638102] atime 1775744884.0 [445771.660056] ctime 1775744885.645502983 [445771.660058] mtime 1775744885.645502983 [445771.660060] otime 1775744884.0 [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [445771.660064] index 0 name_len 2 [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 [445771.660068] location key (259 1 0) type 2 [445771.660070] transid 9 data_len 0 name_len 4 [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 [445771.660076] location key (257 1 0) type 2 [445771.660077] transid 9 data_len 0 name_len 4 [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [445771.660079] location key (257 1 0) type 2 [445771.660080] transid 9 data_len 0 name_len 4 [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 [445771.660082] location key (259 1 0) type 2 [445771.660083] transid 9 data_len 0 name_len 4 [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 [445771.660088] rdev 0 sequence 2 flags 0x0 [445771.660089] atime 1775744885.641174097 [445771.660090] ctime 1775744885.645502983 [445771.660091] mtime 1775744885.645502983 [445771.660105] otime 1775744885.641174097 [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 [445771.660107] index 2 name_len 4 [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 [445771.660109] location key (2 ---truncated---

CVSS v3
5.5
EG Score
5.5(medium)
EPSS
2.8%
KEV
Not listed

Published

May 28, 2026

Last Modified

June 19, 2026

Advisory Details (8)

Auto-updated Jun 19, 2026
No patch confirmed yet.
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/af467162290f5fe79d6a361b7c84302e45b1fd9f
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/6acbb2f6dff23c9bb9761fb98b516525b9cf1ce9
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e
generic

btrfs: fix missing last_unlink_trans update when removing a directory - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/2525998ac956476bded26b9f34c4164dc890b87a

Vendor Advisories for CVE-2026-46160(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 12× in last 7d / 71× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 127 total refreshes for this CVE.

  1. 2026-07-16 10:23 UTCEG score recompute
  2. 2026-07-16 10:23 UTCVendor advisory
  3. 2026-07-16 10:23 UTCGHSA enrichment
  4. 2026-07-15 16:57 UTCEPSS rescore
  5. 2026-07-13 22:30 UTCEPSS rescore
  6. 2026-07-13 06:13 UTCEPSS rescore
  7. 2026-07-12 05:46 UTCEPSS rescore
  8. 2026-07-11 21:16 UTCEG score recompute
  9. 2026-07-11 21:16 UTCVendor advisory
  10. 2026-07-11 21:16 UTCGHSA enrichment
  11. 2026-07-11 08:27 UTCEPSS rescore
  12. 2026-07-09 19:10 UTCEPSS rescore
  13. 2026-07-08 18:28 UTCEG score recompute
  14. 2026-07-08 18:28 UTCVendor advisory
  15. 2026-07-08 18:28 UTCGHSA enrichment
  16. 2026-07-08 15:16 UTCEPSS rescore
  17. 2026-07-07 13:46 UTCEPSS rescore
  18. 2026-07-06 16:27 UTCEPSS rescore
  19. 2026-07-06 02:23 UTCEPSS rescore
  20. 2026-07-04 06:31 UTCEPSS rescore
  21. 2026-07-02 14:15 UTCEG score recompute
  22. 2026-07-02 14:15 UTCVendor advisory
  23. 2026-07-02 14:14 UTCGHSA enrichment
  24. 2026-07-01 15:07 UTCEPSS rescore
  25. 2026-07-01 03:43 UTCEG score recompute
Show 75 more
  1. 2026-07-01 03:43 UTCVendor advisory
  2. 2026-07-01 03:43 UTCGHSA enrichment
  3. 2026-06-30 23:22 UTCEPSS rescore
  4. 2026-06-30 03:08 UTCEG score recompute
  5. 2026-06-30 03:08 UTCVendor advisory
  6. 2026-06-30 03:08 UTCGHSA enrichment
  7. 2026-06-29 14:06 UTCEPSS rescore
  8. 2026-06-29 14:06 UTCEPSS rescore
  9. 2026-06-29 02:39 UTCEG score recompute
  10. 2026-06-29 02:39 UTCVendor advisory
  11. 2026-06-29 02:39 UTCGHSA enrichment
  12. 2026-06-28 14:07 UTCEPSS rescore
  13. 2026-06-28 04:56 UTCEPSS rescore
  14. 2026-06-28 04:56 UTCEPSS rescore
  15. 2026-06-28 02:09 UTCEG score recompute
  16. 2026-06-28 02:09 UTCVendor advisory
  17. 2026-06-28 02:09 UTCGHSA enrichment
  18. 2026-06-27 03:08 UTCEPSS rescore
  19. 2026-06-27 01:38 UTCEG score recompute
  20. 2026-06-27 01:38 UTCVendor advisory
  21. 2026-06-27 01:37 UTCGHSA enrichment
  22. 2026-06-25 23:14 UTCEG score recompute
  23. 2026-06-25 23:14 UTCVendor advisory
  24. 2026-06-25 23:14 UTCGHSA enrichment
  25. 2026-06-25 13:49 UTCEPSS rescore
  26. 2026-06-24 22:46 UTCEG score recompute
  27. 2026-06-24 22:46 UTCVendor advisory
  28. 2026-06-24 22:46 UTCGHSA enrichment
  29. 2026-06-24 14:05 UTCEPSS rescore
  30. 2026-06-23 21:33 UTCEPSS rescore
  31. 2026-06-23 21:33 UTCEPSS rescore
  32. 2026-06-22 14:25 UTCEPSS rescore
  33. 2026-06-22 14:25 UTCEPSS rescore
  34. 2026-06-21 14:56 UTCEPSS rescore
  35. 2026-06-21 14:56 UTCEPSS rescore
  36. 2026-06-21 01:59 UTCEPSS rescore
  37. 2026-06-21 01:59 UTCEPSS rescore
  38. 2026-06-19 19:26 UTCEPSS rescore
  39. 2026-06-19 19:26 UTCEPSS rescore
  40. 2026-06-19 15:13 UTCNVD updateCVSS v3 → 5.5 · severity → MEDIUM
  41. 2026-06-18 17:52 UTCEPSS rescore
  42. 2026-06-18 17:52 UTCEPSS rescore
  43. 2026-06-17 17:53 UTCEPSS rescore
  44. 2026-06-17 07:55 UTCEG score recompute
  45. 2026-06-17 07:55 UTCGHSA enrichment
  46. 2026-06-16 17:52 UTCEPSS rescore
  47. 2026-06-16 07:02 UTCEG score recompute
  48. 2026-06-16 07:02 UTCVendor advisory
  49. 2026-06-16 07:02 UTCGHSA enrichment
  50. 2026-06-15 17:49 UTCEPSS rescore
  51. 2026-06-15 06:36 UTCEG score recompute
  52. 2026-06-15 06:36 UTCVendor advisory
  53. 2026-06-15 06:36 UTCGHSA enrichment
  54. 2026-06-14 23:28 UTCMITRE cvelistV5
  55. 2026-06-14 06:10 UTCEG score recompute
  56. 2026-06-14 06:10 UTCVendor advisory
  57. 2026-06-14 06:10 UTCGHSA enrichment
  58. 2026-06-13 23:00 UTCEPSS rescore
  59. 2026-06-13 05:42 UTCEG score recompute
  60. 2026-06-13 05:42 UTCVendor advisory
  61. 2026-06-13 05:42 UTCGHSA enrichment
  62. 2026-06-12 23:12 UTCEPSS rescore
  63. 2026-06-12 23:12 UTCEPSS rescore
  64. 2026-06-12 05:16 UTCEG score recompute
  65. 2026-06-12 05:16 UTCGHSA enrichment
  66. 2026-06-11 14:00 UTCEPSS rescore
  67. 2026-06-11 04:50 UTCEG score recompute
  68. 2026-06-11 04:50 UTCVendor advisory
  69. 2026-06-11 04:50 UTCGHSA enrichment
  70. 2026-06-10 22:18 UTCEPSS rescore
  71. 2026-06-10 13:22 UTCEPSS rescore
  72. 2026-06-10 13:22 UTCEPSS rescore
  73. 2026-06-10 04:24 UTCEG score recompute 5.50
  74. 2026-06-10 04:24 UTCGHSA enrichment
  75. 2026-06-09 21:17 UTCNVD updateCVSS v3 → 5.5 · severity → MEDIUM

Frequently asked(5)

What is CVE-2026-46160?
CVE-2026-46160 is a medium vulnerability published on May 28, 2026. In the Linux kernel, the following vulnerability has been resolved: btrfs: fix missing lastunlinktrans update when removing a directory When removing a directory we are not updating its lastunlinktrans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after…
When was CVE-2026-46160 disclosed?
CVE-2026-46160 was first published in the National Vulnerability Database on May 28, 2026, with the most recent update on June 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-46160 actively exploited?
CVE-2026-46160 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 2.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-46160?
CVE-2026-46160 has a CVSS v3 base score of 5.5 (NVD).
How do I remediate CVE-2026-46160?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46160, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-46160

Explore →

Is Your Infrastructure Affected by CVE-2026-46160?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.