CVE-2026-43359

EPSS 0.01%
Veröffentlicht 08.05.2026 14:21:14
Zuletzt bearbeitet 15.05.2026 13:32:58
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

btrfs: fix transaction abort on set received ioctl due to item overflow

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction abort on set received ioctl due to item overflow

If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.

This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.

Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.

A test case for fstests will follow soon.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 8 VulnDex Vulnerability Enrichment 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 3.12 < 6.1.167

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.130

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.78

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.19

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.9

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-191 Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174

Patch

https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e

Patch

https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5

Patch

https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be

Patch

https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d

Patch

https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac

Patch