Skip to main content

Linux Kernel EUVDEUVD-2026-28622

| CVE-2026-43338 MEDIUM
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5h67-3fpf-pw2r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 20:08 vuln.today
CVSS changed
May 15, 2026 - 20:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reserve enough transaction items for qgroup ioctls

Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC such that other critical metadata updates need to resort to the global reserve.

However this is not optimal, as not reserving proper space may result in a transaction abort due to not reserving space for delayed refs and then abusing the use of the global block reserve.

For example, the following reproducer (which is unlikely to model any real world use case, but just to illustrate the problem), triggers such a transaction abort due to -ENOSPC when running delayed refs:

$ cat test.sh #!/bin/bash

DEV=/dev/nullb0 MNT=/mnt/nullb0

umount $DEV &> /dev/null

Limit device to 1G so that it's much faster to reproduce the issue.

mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT

fallocate -l 800M $MNT/filler btrfs quota enable $MNT

for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done

umount $MNT

When running this, we can see in dmesg/syslog that a transaction abort happened:

[436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ------------[ cut here ]------------ [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (...) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (...) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0 [436.530] Call Trace: [436.530] <TASK> [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (...) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff [436.544] R10: 0000000000000103 R11: ---truncated---

AnalysisAI

Transaction abort and denial of service in Linux kernel btrfs qgroup ioctls occurs when quota group operations fail to reserve transaction space for metadata updates and delayed references, resulting in -ENOSPC errors under filesystem pressure. Affected versions include mainline kernel through 6.19.x and stable branches 6.12.x and 6.18.x, with patches available in 6.12.81, 6.18.22, 6.19.12, and 7.0. Local authenticated users can trigger filesystem unavailability through qgroup operations. EPSS exploitation probability is low (0.02%), no active exploitation confirmed, and this represents a stability issue rather than a direct security compromise, though availability impact is high per CVSS 5.5 score.

Technical ContextAI

Btrfs (B-tree filesystem) uses qgroups (quota groups) for space accounting and limitations. The vulnerability exists in the transaction space reservation mechanism for qgroup ioctls. Normally, btrfs operations reserve metadata space before modifying trees, but qgroup ioctls perform only transaction joins without reserving space for quota tree updates or delayed references (deferred metadata operations). The quota root relies on the global block reserve, which serves as emergency space for critical operations. Under filesystem pressure when approaching -ENOSPC (no space), the combination of unreserved qgroup operations generating delayed refs and competing demands for the global reserve causes transaction abort with error -28 (ENOSPC). The affected code path is in fs/btrfs/extent-tree.c at btrfs_run_delayed_refs, triggered during transaction commit when delayed references execute.

RemediationAI

Upgrade to patched kernel versions: 6.12.81, 6.18.22, 6.19.12, or 7.0 stable release. Patches available from kernel.org stable tree at https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e (mainline), https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3 (6.19.x), https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c (6.18.x), and https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8 (6.12.x). Until patching, implement workarounds: disable btrfs quota functionality with 'btrfs quota disable' if not required for space management (eliminates attack vector but removes quota enforcement capability); maintain adequate free space on btrfs filesystems (20%+ recommended) to prevent near-ENOSPC conditions where global reserve contention occurs; limit quota group creation through administrative controls to prevent excessive qgroup proliferation that stresses metadata reservation system. Monitor filesystem space with 'btrfs filesystem usage' and kernel logs for transaction abort warnings. Note that disabling quotas prevents subvolume space accounting and may impact backup strategies relying on qgroup limits.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy