Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort on set received ioctl due to item overflow

If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.

This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.

Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.

A test case for fstests will follow soon.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local user who owns a Btrfs subvolume can trigger an item overflow by repeatedly invoking the set received ioctl with the same UUID. Prior to the fix, the kernel started a transaction before checking for overflow, and when the overflow occurred the transaction aborted, forcing the entire filesystem into read‑only mode. This overflow is an example of integer overflow (CWE‑191) and memory allocation overflow (CWE‑770). The applied fix performs an early check for item overflow before starting the transaction, preventing the abort and keeping the filesystem operational. This flaw allows a non‑elevated user to disrupt availability of the file system rather than compromising confidentiality or integrity.

Affected Systems

This issue affects all recent releases of the Linux kernel that include the Btrfs filesystem driver. Any system running a kernel that is built with btrfs support and allows subvolume ownership is potentially impacted. The affected product is the Linux operating system kernel, all distributions that ship it by default.

Risk and Exploitability

The vulnerability requires local access and ownership of a Btrfs subvolume; no administrative privileges are necessary. Because the exploit path involves a simple ioctl call that can be performed by any subvolume owner, the risk is considered moderate. Exploitation would result in a denial of service for all users on the affected mount point. The EPSS score of < 1% indicates a very low probability of exploitation, and the CVE is not listed in the CISA KEV catalog. With a CVSS score of 5.5, this vulnerability is considered medium severity. The attack vector is local and does not traverse a network boundary. No publicly documented exploit code exists at this time.

Generated by OpenCVE AI on May 15, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for CVE-2026-43359
  • Configure a Linux Security Module (e.g., SELinux, AppArmor) or use LSM hooks to deny the set received ioctl to users that do not possess CAP_SYS_ADMIN, thereby preventing the overflow and mitigating the integer and allocation overflow weaknesses (CWE‑191, CWE‑770)
  • If the kernel runs in a containerized environment, apply seccomp filters to block the BTRFS_UUID_KEY_RECEIVED_SUBVOL ioctl or restrict it to privileged containers; this limits local exploitation paths and reduces the impact of the overflow

Generated by OpenCVE AI on May 15, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-658

Fri, 15 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-658

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon.
Title btrfs: fix transaction abort on set received ioctl due to item overflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:23:03.390Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43359

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:46.717

Modified: 2026-05-15T13:32:58.217

Link: CVE-2026-43359

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43359 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:00:04Z

Weaknesses