CVE-2026-43359
Received Received - Intake
Buffer Overflow Fix in Linux Kernel Btrfs

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43359
EUVD
EUVD-2026-28665
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BTRFS filesystem related to the set received ioctl operation. When this ioctl is called with the same received UUID field for many subvolumes, it can cause an item overflow. This overflow triggers a transaction abort because some metadata updates have already been made before the failure.

The transaction abort causes the filesystem to switch into read-only (RO) mode. Importantly, this ioctl does not require administrative privileges (CAP_SYS_ADMIN); it only requires ownership of the subvolume, which means a non-admin user can exploit this.

The fix involves performing an early check for item overflow before starting a transaction, ensuring race safety by holding the subvol_sem semaphore in exclusive write mode.

Impact Analysis

This vulnerability can impact you by causing the BTRFS filesystem to become read-only unexpectedly. If exploited, a malicious user who owns a subvolume can trigger the overflow and transaction abort, forcing the filesystem into read-only mode.

This can disrupt normal operations, preventing write access to the filesystem and potentially causing service interruptions or data availability issues.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the fix for the btrfs transaction abort on set received ioctl due to item overflow has been applied.

This fix includes an early check for item overflow before starting a transaction, preventing the filesystem from turning into read-only mode due to this issue.

Until the update is applied, restrict untrusted users from owning or accessing subvolumes to prevent exploitation, as the ioctl does not require admin privileges but does require subvolume ownership.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart