Skip to main content

Linux Kernel btrfs CVE-2026-43308

| EUVDEUVD-2026-28578 MEDIUM
2026-05-08 Linux GHSA-mjx9-cr34-jhff
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 19:39 vuln.today
CVSS changed
May 15, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()

There is no need to BUG(), we can just return an error and log an error message.

AnalysisAI

Denial of service vulnerability in Linux kernel btrfs filesystem allows local authenticated users to trigger a kernel panic via unexpected delayed reference types. The vulnerability stems from improper error handling in run_one_delayed_ref() that invokes BUG() instead of gracefully returning an error. Patched in Linux 6.19.6 and 7.0 with proper error logging. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit or active exploitation reported, indicating minimal real-world risk despite the high availability impact in the CVSS score.

Technical ContextAI

This vulnerability affects the btrfs (B-tree filesystem) implementation in the Linux kernel, specifically the delayed reference processing subsystem. Btrfs uses delayed references to optimize metadata operations by batching updates to extent tree references. The run_one_delayed_ref() function processes these delayed references and previously contained a BUG() macro call when encountering unexpected reference types. BUG() triggers a kernel panic, immediately crashing the system. The patch replaces this with proper error handling that logs the condition and returns an error code, allowing the system to continue operation or fail gracefully. The affected code path is in the btrfs extent tree management, which handles space allocation and reference counting for filesystem extents. The CPE strings indicate this affects the core Linux kernel btrfs module across multiple versions from the initial btrfs implementation (commit 1da177e4c3f4) up to the patched versions.

RemediationAI

Upgrade to Linux kernel version 6.19.6 or 7.0 or later, which include upstream fixes in commits c7d1d4ff56744074e005771aff193b927392d51f and 5549743e11c06da23cfa7712a994b9f1e69064c6. Distribution-specific patched kernels should be applied according to vendor security advisories. For systems where immediate patching is not feasible, consider switching critical filesystems from btrfs to ext4 or xfs if operationally viable, though this requires full data migration with associated downtime and risk. Restricting local user access and implementing mandatory access controls (SELinux, AppArmor) provides defense in depth but does not prevent exploitation by legitimately authenticated users. Monitor kernel logs for btrfs-related errors as potential indicators of exploitation attempts or filesystem corruption issues. The patch itself is low-risk (converts kernel panic to error return) so update confidence is high with minimal regression risk. No known workarounds exist that prevent the vulnerable code path from being reached while maintaining normal btrfs functionality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy