CVE-2026-43338 (GCVE-0-2026-43338)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-09 04:10
VLAI?
Title
btrfs: reserve enough transaction items for qgroup ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reserve enough transaction items for qgroup ioctls
Currently our qgroup ioctls don't reserve any space, they just do a
transaction join, which does not reserve any space, neither for the quota
tree updates nor for the delayed refs generated when updating the quota
tree. The quota root uses the global block reserve, which is fine most of
the time since we don't expect a lot of updates to the quota root, or to
be too close to -ENOSPC such that other critical metadata updates need to
resort to the global reserve.
However this is not optimal, as not reserving proper space may result in a
transaction abort due to not reserving space for delayed refs and then
abusing the use of the global block reserve.
For example, the following reproducer (which is unlikely to model any
real world use case, but just to illustrate the problem), triggers such a
transaction abort due to -ENOSPC when running delayed refs:
$ cat test.sh
#!/bin/bash
DEV=/dev/nullb0
MNT=/mnt/nullb0
umount $DEV &> /dev/null
# Limit device to 1G so that it's much faster to reproduce the issue.
mkfs.btrfs -f -b 1G $DEV
mount -o commit=600 $DEV $MNT
fallocate -l 800M $MNT/filler
btrfs quota enable $MNT
for ((i = 1; i <= 400000; i++)); do
btrfs qgroup create 1/$i $MNT
done
umount $MNT
When running this, we can see in dmesg/syslog that a transaction abort
happened:
[436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28
[436.493] ------------[ cut here ]------------
[436.494] BTRFS: Transaction aborted (error -28)
[436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372
[436.497] Modules linked in: btrfs loop (...)
[436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[436.510] Tainted: [W]=WARN
[436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]
[436.514] Code: 0f 82 ea (...)
[436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292
[436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001
[436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80
[436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867
[436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400
[436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000
[436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000
[436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0
[436.530] Call Trace:
[436.530] <TASK>
[436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs]
[436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]
[436.532] sync_filesystem+0x7a/0x90
[436.533] generic_shutdown_super+0x28/0x180
[436.533] kill_anon_super+0x12/0x40
[436.534] btrfs_kill_super+0x12/0x20 [btrfs]
[436.534] deactivate_locked_super+0x2f/0xb0
[436.534] cleanup_mnt+0xea/0x180
[436.535] task_work_run+0x58/0xa0
[436.535] exit_to_user_mode_loop+0xed/0x480
[436.536] ? __x64_sys_umount+0x68/0x80
[436.536] do_syscall_64+0x2a5/0xf20
[436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[436.537] RIP: 0033:0x7fe5906b6217
[436.538] Code: 0d 00 f7 (...)
[436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217
[436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100
[436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff
[436.544] R10: 0000000000000103 R11:
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5d13a37bd5327220e13329943d1228acfbe5934a , < bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8
(git)
Affected: 5d13a37bd5327220e13329943d1228acfbe5934a , < cf930a651eef6f8d915bf0ccd60c2045974f870c (git) Affected: 5d13a37bd5327220e13329943d1228acfbe5934a , < 386f5e16a383101a68e195c806b4eedb233cd1d3 (git) Affected: 5d13a37bd5327220e13329943d1228acfbe5934a , < f9a4e3015db1aeafbef407650eb8555445ca943e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
},
{
"lessThan": "cf930a651eef6f8d915bf0ccd60c2045974f870c",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
},
{
"lessThan": "386f5e16a383101a68e195c806b4eedb233cd1d3",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
},
{
"lessThan": "f9a4e3015db1aeafbef407650eb8555445ca943e",
"status": "affected",
"version": "5d13a37bd5327220e13329943d1228acfbe5934a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reserve enough transaction items for qgroup ioctls\n\nCurrently our qgroup ioctls don\u0027t reserve any space, they just do a\ntransaction join, which does not reserve any space, neither for the quota\ntree updates nor for the delayed refs generated when updating the quota\ntree. The quota root uses the global block reserve, which is fine most of\nthe time since we don\u0027t expect a lot of updates to the quota root, or to\nbe too close to -ENOSPC such that other critical metadata updates need to\nresort to the global reserve.\n\nHowever this is not optimal, as not reserving proper space may result in a\ntransaction abort due to not reserving space for delayed refs and then\nabusing the use of the global block reserve.\n\nFor example, the following reproducer (which is unlikely to model any\nreal world use case, but just to illustrate the problem), triggers such a\ntransaction abort due to -ENOSPC when running delayed refs:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/nullb0\n MNT=/mnt/nullb0\n\n umount $DEV \u0026\u003e /dev/null\n # Limit device to 1G so that it\u0027s much faster to reproduce the issue.\n mkfs.btrfs -f -b 1G $DEV\n mount -o commit=600 $DEV $MNT\n\n fallocate -l 800M $MNT/filler\n btrfs quota enable $MNT\n\n for ((i = 1; i \u003c= 400000; i++)); do\n btrfs qgroup create 1/$i $MNT\n done\n\n umount $MNT\n\nWhen running this, we can see in dmesg/syslog that a transaction abort\nhappened:\n\n [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28\n [436.493] ------------[ cut here ]------------\n [436.494] BTRFS: Transaction aborted (error -28)\n [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372\n [436.497] Modules linked in: btrfs loop (...)\n [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [436.510] Tainted: [W]=WARN\n [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]\n [436.514] Code: 0f 82 ea (...)\n [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292\n [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001\n [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80\n [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867\n [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400\n [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000\n [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000\n [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0\n [436.530] Call Trace:\n [436.530] \u003cTASK\u003e\n [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs]\n [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]\n [436.532] sync_filesystem+0x7a/0x90\n [436.533] generic_shutdown_super+0x28/0x180\n [436.533] kill_anon_super+0x12/0x40\n [436.534] btrfs_kill_super+0x12/0x20 [btrfs]\n [436.534] deactivate_locked_super+0x2f/0xb0\n [436.534] cleanup_mnt+0xea/0x180\n [436.535] task_work_run+0x58/0xa0\n [436.535] exit_to_user_mode_loop+0xed/0x480\n [436.536] ? __x64_sys_umount+0x68/0x80\n [436.536] do_syscall_64+0x2a5/0xf20\n [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [436.537] RIP: 0033:0x7fe5906b6217\n [436.538] Code: 0d 00 f7 (...)\n [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217\n [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100\n [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff\n [436.544] R10: 0000000000000103 R11: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:10:38.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8"
},
{
"url": "https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c"
},
{
"url": "https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3"
},
{
"url": "https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e"
}
],
"title": "btrfs: reserve enough transaction items for qgroup ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43338",
"datePublished": "2026-05-08T13:31:23.623Z",
"dateReserved": "2026-05-01T14:12:56.003Z",
"dateUpdated": "2026-05-09T04:10:38.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-43338",
"date": "2026-05-09",
"epss": "0.00018",
"percentile": "0.04722"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-43338\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T14:16:43.630\",\"lastModified\":\"2026-05-08T14:16:43.630\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: reserve enough transaction items for qgroup ioctls\\n\\nCurrently our qgroup ioctls don\u0027t reserve any space, they just do a\\ntransaction join, which does not reserve any space, neither for the quota\\ntree updates nor for the delayed refs generated when updating the quota\\ntree. The quota root uses the global block reserve, which is fine most of\\nthe time since we don\u0027t expect a lot of updates to the quota root, or to\\nbe too close to -ENOSPC such that other critical metadata updates need to\\nresort to the global reserve.\\n\\nHowever this is not optimal, as not reserving proper space may result in a\\ntransaction abort due to not reserving space for delayed refs and then\\nabusing the use of the global block reserve.\\n\\nFor example, the following reproducer (which is unlikely to model any\\nreal world use case, but just to illustrate the problem), triggers such a\\ntransaction abort due to -ENOSPC when running delayed refs:\\n\\n $ cat test.sh\\n #!/bin/bash\\n\\n DEV=/dev/nullb0\\n MNT=/mnt/nullb0\\n\\n umount $DEV \u0026\u003e /dev/null\\n # Limit device to 1G so that it\u0027s much faster to reproduce the issue.\\n mkfs.btrfs -f -b 1G $DEV\\n mount -o commit=600 $DEV $MNT\\n\\n fallocate -l 800M $MNT/filler\\n btrfs quota enable $MNT\\n\\n for ((i = 1; i \u003c= 400000; i++)); do\\n btrfs qgroup create 1/$i $MNT\\n done\\n\\n umount $MNT\\n\\nWhen running this, we can see in dmesg/syslog that a transaction abort\\nhappened:\\n\\n [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28\\n [436.493] ------------[ cut here ]------------\\n [436.494] BTRFS: Transaction aborted (error -28)\\n [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372\\n [436.497] Modules linked in: btrfs loop (...)\\n [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\\n [436.510] Tainted: [W]=WARN\\n [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\\n [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]\\n [436.514] Code: 0f 82 ea (...)\\n [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292\\n [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001\\n [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80\\n [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867\\n [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400\\n [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000\\n [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000\\n [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0\\n [436.530] Call Trace:\\n [436.530] \u003cTASK\u003e\\n [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs]\\n [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]\\n [436.532] sync_filesystem+0x7a/0x90\\n [436.533] generic_shutdown_super+0x28/0x180\\n [436.533] kill_anon_super+0x12/0x40\\n [436.534] btrfs_kill_super+0x12/0x20 [btrfs]\\n [436.534] deactivate_locked_super+0x2f/0xb0\\n [436.534] cleanup_mnt+0xea/0x180\\n [436.535] task_work_run+0x58/0xa0\\n [436.535] exit_to_user_mode_loop+0xed/0x480\\n [436.536] ? __x64_sys_umount+0x68/0x80\\n [436.536] do_syscall_64+0x2a5/0xf20\\n [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n [436.537] RIP: 0033:0x7fe5906b6217\\n [436.538] Code: 0d 00 f7 (...)\\n [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\\n [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217\\n [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100\\n [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff\\n [436.544] R10: 0000000000000103 R11: \\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…