Bug 2468167 (CVE-2026-43359) - CVE-2026-43359 kernel: btrfs: fix transaction abort on set received ioctl due to item overflow
Summary: CVE-2026-43359 kernel: btrfs: fix transaction abort on set received ioctl due...
Keywords:
Status: NEW
Alias: CVE-2026-43359
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-08 15:02 UTC by OSIDB Bzimport
Modified: 2026-05-08 20:20 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-08 15:02:41 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort on set received ioctl due to item overflow

If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.

This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.

Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.

A test case for fstests will follow soon.
Comment 1 Keith Grant 2026-05-08 20:17:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050825-CVE-2026-43359-ec41@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.