Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort on set received ioctl due to item overflow

If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.

This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.

Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.

A test case for fstests will follow soon.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local user who owns a Btrfs subvolume can trigger an item overflow by repeatedly invoking the set received ioctl with the same UUID. Prior to the fix, the kernel started a transaction before checking for overflow, and when the overflow occurred the transaction aborted, forcing the entire filesystem into read‑only mode. The applied fix performs an early check for item overflow before starting the transaction, preventing the abort and keeping the filesystem operational. This flaw allows a non‑elevated user to disrupt availability of the file system rather than compromising confidentiality or integrity.

Affected Systems

This issue affects all recent releases of the Linux kernel that include the Btrfs filesystem driver. Any system running a kernel that is built with btrfs support and allows subvolume ownership is potentially impacted. The affected product is the Linux operating system kernel, all distributions that ship it by default.

Risk and Exploitability

The vulnerability requires local access and ownership of a Btrfs subvolume; no administrative privileges are necessary. Because the exploit path involves a simple ioctl call that can be performed by any subvolume owner, the risk is considered moderate. Exploitation would result in a denial of service for all users on the affected mount point. EPSS data is not available, and the CVE is not listed in the CISA KEV catalog. With a CVSS score of 7.0, this vulnerability is considered medium severity. The attack vector is local and does not traverse a network boundary. No publicly documented exploit code exists at this time.

Generated by OpenCVE AI on May 9, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for CVE-2026-43359
  • Restrict the use of the set received ioctl to trusted users only via access control or custom ACLs
  • Reboot or remount the Btrfs filesystem as read/write by a privileged user after an accidental ro state is detected

Generated by OpenCVE AI on May 9, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-658

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon.
Title btrfs: fix transaction abort on set received ioctl due to item overflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:14.357Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43359

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:46.717

Modified: 2026-05-08T15:16:46.717

Link: CVE-2026-43359

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43359 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:15:06Z

Weaknesses