Vulnerability-Lookup

CVE-2026-43361 (GCVE-0-2026-43361)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-08 14:21

Title

btrfs: fix transaction abort when snapshotting received subvolumes

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system. Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNT When running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system And in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_ ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9a9227b488ffb7cdb…
	https://git.kernel.org/stable/c/6bce705b699cba9af…
	https://git.kernel.org/stable/c/e3d8efc157bc59045…
	https://git.kernel.org/stable/c/bac55dde8efa457e7…
	https://git.kernel.org/stable/c/770af8e465c2c3de5…
	https://git.kernel.org/stable/c/e1b18b959025e6b5d…

Impacted products

Vendor

Product

Version

Linux

Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 9a9227b488ffb7cdbb5d930a01fc6956c05ba61a (git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 6bce705b699cba9afccb996c77d194fe003dfa2a (git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < e3d8efc157bc590457d3e31da403af1a221643d6 (git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < bac55dde8efa457e769c934fd88a63f2141ba238 (git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 770af8e465c2c3de528f85e840eab462dd41542b (git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < e1b18b959025e6b5dbad668f391f65d34b39595a (git)

Linux

Affected: 3.12
Unaffected: 0 , < 3.12 (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a9227b488ffb7cdbb5d930a01fc6956c05ba61a",
              "status": "affected",
              "version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
              "versionType": "git"
            },
            {
              "lessThan": "6bce705b699cba9afccb996c77d194fe003dfa2a",
              "status": "affected",
              "version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
              "versionType": "git"
            },
            {
              "lessThan": "e3d8efc157bc590457d3e31da403af1a221643d6",
              "status": "affected",
              "version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
              "versionType": "git"
            },
            {
              "lessThan": "bac55dde8efa457e769c934fd88a63f2141ba238",
              "status": "affected",
              "version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
              "versionType": "git"
            },
            {
              "lessThan": "770af8e465c2c3de528f85e840eab462dd41542b",
              "status": "affected",
              "version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
              "versionType": "git"
            },
            {
              "lessThan": "e1b18b959025e6b5dbad668f391f65d34b39595a",
              "status": "affected",
              "version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don\u0027t\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n  $ cat test.sh\n  #!/bin/bash\n\n  DEV=/dev/sdi\n  MNT=/mnt/sdi\n\n  # Use smallest node size to make the test faster.\n  mkfs.btrfs -f --nodesize 4K $DEV\n  mount $DEV $MNT\n\n  # Create a subvolume and set it to RO so that it can be used for send.\n  btrfs subvolume create $MNT/sv\n  touch $MNT/sv/foo\n  btrfs property set $MNT/sv ro true\n\n  # Send and receive the subvolume into snaps/sv.\n  mkdir $MNT/snaps\n  btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n  # Now snapshot the received subvolume, which has a received_uuid, a\n  # lot of times to trigger the leaf overflow.\n  total=500\n  for ((i = 1; i \u003c= $total; i++)); do\n      echo -ne \"\\rCreating snapshot $i/$total\"\n      btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i \u003e /dev/null\n  done\n  echo\n\n  umount $MNT\n\nWhen running the test:\n\n  $ ./test.sh\n  (...)\n  Create subvolume \u0027/mnt/sdi/sv\u0027\n  At subvol /mnt/sdi/sv\n  At subvol sv\n  Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n  Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n  $ dmesg\n  (...)\n  [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n  [251067.629212] ------------[ cut here ]------------\n  [251067.630033] BTRFS: Transaction aborted (error -75)\n  [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n  [251067.632851] Modules linked in: btrfs dm_zero (...)\n  [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G        W           6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n  [251067.646165] Tainted: [W]=WARN\n  [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n  [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n  [251067.649984] Code: f0 48 0f (...)\n  [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n  [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n  [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n  [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n  [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n  [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n  [251067.659019] FS:  00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n  [251067.660115] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n  [251067.661972] Call Trace:\n  [251067.662292]  \u003cTASK\u003e\n  [251067.662653]  create_pending_snapshots+0x97/0xc0 [btrfs]\n  [251067.663413]  btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n  [251067.664257]  ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n  [251067.665238]  ? _raw_spin_unlock+0x15/0x30\n  [251067.665837]  ? record_root_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:21:15.683Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"
        },
        {
          "url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"
        }
      ],
      "title": "btrfs: fix transaction abort when snapshotting received subvolumes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43361",
    "datePublished": "2026-05-08T14:21:15.683Z",
    "dateReserved": "2026-05-01T14:12:56.005Z",
    "dateUpdated": "2026-05-08T14:21:15.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43361",
      "date": "2026-05-09",
      "epss": "0.00024",
      "percentile": "0.07036"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43361\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:46.980\",\"lastModified\":\"2026-05-08T15:16:46.980\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix transaction abort when snapshotting received subvolumes\\n\\nCurrently a user can trigger a transaction abort by snapshotting a\\npreviously received snapshot a bunch of times until we reach a\\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\\ncan store in a leaf). This is very likely not common in practice, but\\nif it happens, it turns the filesystem into RO mode. The snapshot, send\\nand set_received_subvol and subvol_setflags (used by receive) don\u0027t\\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\\ncould use this to turn a filesystem into RO mode and disrupt a system.\\n\\nReproducer script:\\n\\n  $ cat test.sh\\n  #!/bin/bash\\n\\n  DEV=/dev/sdi\\n  MNT=/mnt/sdi\\n\\n  # Use smallest node size to make the test faster.\\n  mkfs.btrfs -f --nodesize 4K $DEV\\n  mount $DEV $MNT\\n\\n  # Create a subvolume and set it to RO so that it can be used for send.\\n  btrfs subvolume create $MNT/sv\\n  touch $MNT/sv/foo\\n  btrfs property set $MNT/sv ro true\\n\\n  # Send and receive the subvolume into snaps/sv.\\n  mkdir $MNT/snaps\\n  btrfs send $MNT/sv | btrfs receive $MNT/snaps\\n\\n  # Now snapshot the received subvolume, which has a received_uuid, a\\n  # lot of times to trigger the leaf overflow.\\n  total=500\\n  for ((i = 1; i \u003c= $total; i++)); do\\n      echo -ne \\\"\\\\rCreating snapshot $i/$total\\\"\\n      btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i \u003e /dev/null\\n  done\\n  echo\\n\\n  umount $MNT\\n\\nWhen running the test:\\n\\n  $ ./test.sh\\n  (...)\\n  Create subvolume \u0027/mnt/sdi/sv\u0027\\n  At subvol /mnt/sdi/sv\\n  At subvol sv\\n  Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\\n  Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\\n  Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\\n  Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\\n  Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\\n\\nAnd in dmesg/syslog:\\n\\n  $ dmesg\\n  (...)\\n  [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\\n  [251067.629212] ------------[ cut here ]------------\\n  [251067.630033] BTRFS: Transaction aborted (error -75)\\n  [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\\n  [251067.632851] Modules linked in: btrfs dm_zero (...)\\n  [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G        W           6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\\n  [251067.646165] Tainted: [W]=WARN\\n  [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\\n  [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\\n  [251067.649984] Code: f0 48 0f (...)\\n  [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\\n  [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\\n  [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\\n  [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\\n  [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\\n  [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\\n  [251067.659019] FS:  00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\\n  [251067.660115] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\\n  [251067.661972] Call Trace:\\n  [251067.662292]  \u003cTASK\u003e\\n  [251067.662653]  create_pending_snapshots+0x97/0xc0 [btrfs]\\n  [251067.663413]  btrfs_commit_transaction+0x26e/0xc00 [btrfs]\\n  [251067.664257]  ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\\n  [251067.665238]  ? _raw_spin_unlock+0x15/0x30\\n  [251067.665837]  ? record_root_\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

GHSA-V9R8-CHWP-VMRM

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-08 15:31

Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort when snapshotting received subvolumes

Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system.

Reproducer script:

$ cat test.sh #!/bin/bash

DEV=/dev/sdi MNT=/mnt/sdi

# Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT

# Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true

# Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps

# Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo

umount $MNT

When running the test:

$ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system

And in dmesg/syslog:

$ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-43361"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:46Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don\u0027t\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n  $ cat test.sh\n  #!/bin/bash\n\n  DEV=/dev/sdi\n  MNT=/mnt/sdi\n\n  # Use smallest node size to make the test faster.\n  mkfs.btrfs -f --nodesize 4K $DEV\n  mount $DEV $MNT\n\n  # Create a subvolume and set it to RO so that it can be used for send.\n  btrfs subvolume create $MNT/sv\n  touch $MNT/sv/foo\n  btrfs property set $MNT/sv ro true\n\n  # Send and receive the subvolume into snaps/sv.\n  mkdir $MNT/snaps\n  btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n  # Now snapshot the received subvolume, which has a received_uuid, a\n  # lot of times to trigger the leaf overflow.\n  total=500\n  for ((i = 1; i \u003c= $total; i++)); do\n      echo -ne \"\\rCreating snapshot $i/$total\"\n      btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i \u003e /dev/null\n  done\n  echo\n\n  umount $MNT\n\nWhen running the test:\n\n  $ ./test.sh\n  (...)\n  Create subvolume \u0027/mnt/sdi/sv\u0027\n  At subvol /mnt/sdi/sv\n  At subvol sv\n  Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n  Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n  $ dmesg\n  (...)\n  [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n  [251067.629212] ------------[ cut here ]------------\n  [251067.630033] BTRFS: Transaction aborted (error -75)\n  [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n  [251067.632851] Modules linked in: btrfs dm_zero (...)\n  [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G        W           6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n  [251067.646165] Tainted: [W]=WARN\n  [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n  [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n  [251067.649984] Code: f0 48 0f (...)\n  [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n  [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n  [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n  [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n  [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n  [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n  [251067.659019] FS:  00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n  [251067.660115] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n  [251067.661972] Call Trace:\n  [251067.662292]  \u003cTASK\u003e\n  [251067.662653]  create_pending_snapshots+0x97/0xc0 [btrfs]\n  [251067.663413]  btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n  [251067.664257]  ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n  [251067.665238]  ? _raw_spin_unlock+0x15/0x30\n  [251067.665837]  ? record_root_\n---truncated---",
  "id": "GHSA-v9r8-chwp-vmrm",
  "modified": "2026-05-08T15:31:26Z",
  "published": "2026-05-08T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43361"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2026-43361

Vulnerability from fkie_nvd - Published: 2026-05-08 15:16 - Updated: 2026-05-08 15:16

Severity ?

Summary

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don\u0027t\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n  $ cat test.sh\n  #!/bin/bash\n\n  DEV=/dev/sdi\n  MNT=/mnt/sdi\n\n  # Use smallest node size to make the test faster.\n  mkfs.btrfs -f --nodesize 4K $DEV\n  mount $DEV $MNT\n\n  # Create a subvolume and set it to RO so that it can be used for send.\n  btrfs subvolume create $MNT/sv\n  touch $MNT/sv/foo\n  btrfs property set $MNT/sv ro true\n\n  # Send and receive the subvolume into snaps/sv.\n  mkdir $MNT/snaps\n  btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n  # Now snapshot the received subvolume, which has a received_uuid, a\n  # lot of times to trigger the leaf overflow.\n  total=500\n  for ((i = 1; i \u003c= $total; i++)); do\n      echo -ne \"\\rCreating snapshot $i/$total\"\n      btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i \u003e /dev/null\n  done\n  echo\n\n  umount $MNT\n\nWhen running the test:\n\n  $ ./test.sh\n  (...)\n  Create subvolume \u0027/mnt/sdi/sv\u0027\n  At subvol /mnt/sdi/sv\n  At subvol sv\n  Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n  Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n  Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n  $ dmesg\n  (...)\n  [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n  [251067.629212] ------------[ cut here ]------------\n  [251067.630033] BTRFS: Transaction aborted (error -75)\n  [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n  [251067.632851] Modules linked in: btrfs dm_zero (...)\n  [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G        W           6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n  [251067.646165] Tainted: [W]=WARN\n  [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n  [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n  [251067.649984] Code: f0 48 0f (...)\n  [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n  [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n  [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n  [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n  [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n  [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n  [251067.659019] FS:  00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n  [251067.660115] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n  [251067.661972] Call Trace:\n  [251067.662292]  \u003cTASK\u003e\n  [251067.662653]  create_pending_snapshots+0x97/0xc0 [btrfs]\n  [251067.663413]  btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n  [251067.664257]  ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n  [251067.665238]  ? _raw_spin_unlock+0x15/0x30\n  [251067.665837]  ? record_root_\n---truncated---"
    }
  ],
  "id": "CVE-2026-43361",
  "lastModified": "2026-05-08T15:16:46.980",
  "metrics": {},
  "published": "2026-05-08T15:16:46.980",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Received"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-43361 (GCVE-0-2026-43361)

GHSA-V9R8-CHWP-VMRM

FKIE_CVE-2026-43361

Tags

Sightings

Nomenclature