Skip to main content

Linux Kernel EUVDEUVD-2026-28665

| CVE-2026-43359 MEDIUM
Integer Underflow (CWE-191)
2026-05-08 Linux GHSA-63hq-hrgx-pfwm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 15, 2026 - 13:37 vuln.today
CVSS changed
May 15, 2026 - 13:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort on set received ioctl due to item overflow

If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before.

This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.

Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode.

A test case for fstests will follow soon.

AnalysisAI

Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.

Technical ContextAI

The vulnerability exists in the Linux kernel's btrfs (B-tree filesystem) implementation, specifically in the set received ioctl handler which manages subvolume UUID tracking via the BTRFS_UUID_KEY_RECEIVED_SUBVOL metadata item. The root cause is an integer overflow condition (CWE-191) in the metadata item size calculation that occurs after transaction initialization and partial metadata updates have already begun. The btrfs filesystem uses a journaling mechanism where transactions must be either fully committed or aborted; once metadata updates start, attempting to add items that exceed storage limits triggers mandatory transaction abort, which puts the entire filesystem into read-only mode as a safety mechanism. The fix involves moving overflow validation to occur before any transaction begins, allowing rejection of problematic requests without triggering filesystem-wide state transitions. The exploitation window requires holding the subvol_sem semaphore in exclusive mode, which limits concurrent exploitation vectors but does not prevent sequential attacks from a single user.

RemediationAI

Vendor-released patched versions are available: upgrade to Linux kernel 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0 and later. Distributions should backport the upstream commits (referenced in the Links section) to their kernel packages. Users unable to immediately patch should consider restricting filesystem mount privileges and monitoring for read-only state transitions, which indicate exploitation attempts; however, these are compensating controls only and do not prevent the attack, merely detect it. The fix itself (early overflow validation before transaction start) has minimal performance impact and no functional side effects, making immediate patching the primary recommendation. Detailed patch information available at https://nvd.nist.gov/vuln/detail/CVE-2026-43359 and kernel commit hashes via git.kernel.org/stable/.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy