Skip to main content

Linux Kernel CVE-2026-43117

| EUVDEUVD-2026-27643 CRITICAL
2026-05-06 Linux
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:28 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.1 (CRITICAL)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()

If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash.

Use file_inode(file)->i_sb to always get btrfs_sb.

AnalysisAI

A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.

Technical ContextAI

This vulnerability resides in the btrfs filesystem tracepoint infrastructure, specifically in the event handler for btrfs_sync_file(). Btrfs is a modern copy-on-write filesystem for Linux with advanced features like snapshots and checksumming. OverlayFS is a union filesystem that layers one filesystem on top of another, commonly used in containers. When OverlayFS is mounted over btrfs, the kernel's dentry structure (directory entry cache) points to the overlay superblock rather than the underlying btrfs superblock. The vulnerable tracepoint code incorrectly uses dentry->d_sb to access the filesystem superblock for fsid (filesystem identifier) operations. Since the overlay superblock lacks the btrfs-specific structures expected during fsid assignment, dereferencing this pointer causes a kernel crash. The fix changes the code to use file_inode(file)->i_sb, which correctly resolves to the btrfs superblock regardless of overlaying filesystems, ensuring proper type safety in the kernel's VFS (Virtual File System) layer.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136 or later for 6.6.x branch, 6.12.83 or later for 6.12.x branch, 6.18.24 or later for 6.18.x branch, 6.19.14 or later for 6.19.x branch, or 7.0 or later for mainline. Upstream patch commits are available at https://git.kernel.org/stable/c/d110d7cdb045715c0b45b0dfd974525bb38f653d (and related commits listed in references). For systems unable to upgrade immediately, implement these compensating controls with noted trade-offs: (1) Avoid mounting OverlayFS on btrfs filesystems - use ext4 or xfs as the lower layer for OverlayFS instead (trade-off: lose btrfs snapshot/subvolume features for container storage); (2) Disable btrfs tracepoints if kernel tracing is not operationally required - check /sys/kernel/debug/tracing/events/btrfs/ and disable via echo 0 to enable files (trade-off: lose btrfs performance monitoring and debugging capability); (3) If using containers, configure container runtime to use a different storage driver that doesn't rely on OverlayFS-on-btrfs combination (trade-off: may require rebuilding container images and storage migration). Monitor kernel logs for btrfs-related crashes or panics during fsync operations as indicators of exploitation attempts. Consult your Linux distribution's security advisories for distribution-specific patch availability and backport timelines.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy