{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43361", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.005Z", "datePublished": "2026-05-08T14:21:15.683Z", "dateUpdated": "2026-05-08T14:21:15.683Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:21:15.683Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don't\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # Create a subvolume and set it to RO so that it can be used for send.\n btrfs subvolume create $MNT/sv\n touch $MNT/sv/foo\n btrfs property set $MNT/sv ro true\n\n # Send and receive the subvolume into snaps/sv.\n mkdir $MNT/snaps\n btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n # Now snapshot the received subvolume, which has a received_uuid, a\n # lot of times to trigger the leaf overflow.\n total=500\n for ((i = 1; i <= $total; i++)); do\n echo -ne \"\\rCreating snapshot $i/$total\"\n btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null\n done\n echo\n\n umount $MNT\n\nWhen running the test:\n\n $ ./test.sh\n (...)\n Create subvolume '/mnt/sdi/sv'\n At subvol /mnt/sdi/sv\n At subvol sv\n Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n $ dmesg\n (...)\n [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n [251067.629212] ------------[ cut here ]------------\n [251067.630033] BTRFS: Transaction aborted (error -75)\n [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n [251067.632851] Modules linked in: btrfs dm_zero (...)\n [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [251067.646165] Tainted: [W]=WARN\n [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n [251067.649984] Code: f0 48 0f (...)\n [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n [251067.661972] Call Trace:\n [251067.662292] <TASK>\n [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]\n [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n [251067.665238] ? _raw_spin_unlock+0x15/0x30\n [251067.665837] ? record_root_\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/transaction.c"], "versions": [{"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70", "lessThan": "9a9227b488ffb7cdbb5d930a01fc6956c05ba61a", "status": "affected", "versionType": "git"}, {"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70", "lessThan": "6bce705b699cba9afccb996c77d194fe003dfa2a", "status": "affected", "versionType": "git"}, {"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70", "lessThan": "e3d8efc157bc590457d3e31da403af1a221643d6", "status": "affected", "versionType": "git"}, {"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70", "lessThan": "bac55dde8efa457e769c934fd88a63f2141ba238", "status": "affected", "versionType": "git"}, {"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70", "lessThan": "770af8e465c2c3de528f85e840eab462dd41542b", "status": "affected", "versionType": "git"}, {"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70", "lessThan": "e1b18b959025e6b5dbad668f391f65d34b39595a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/transaction.c"], "versions": [{"version": "3.12", "status": "affected"}, {"version": "0", "lessThan": "3.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"}, {"url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"}, {"url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"}, {"url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"}, {"url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"}, {"url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"}], "title": "btrfs: fix transaction abort when snapshotting received subvolumes", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don't\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # Create a subvolume and set it to RO so that it can be used for send.\n btrfs subvolume create $MNT/sv\n touch $MNT/sv/foo\n btrfs property set $MNT/sv ro true\n\n # Send and receive the subvolume into snaps/sv.\n mkdir $MNT/snaps\n btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n # Now snapshot the received subvolume, which has a received_uuid, a\n # lot of times to trigger the leaf overflow.\n total=500\n for ((i = 1; i <= $total; i++)); do\n echo -ne \"\\rCreating snapshot $i/$total\"\n btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null\n done\n echo\n\n umount $MNT\n\nWhen running the test:\n\n $ ./test.sh\n (...)\n Create subvolume '/mnt/sdi/sv'\n At subvol /mnt/sdi/sv\n At subvol sv\n Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n $ dmesg\n (...)\n [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n [251067.629212] ------------[ cut here ]------------\n [251067.630033] BTRFS: Transaction aborted (error -75)\n [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n [251067.632851] Modules linked in: btrfs dm_zero (...)\n [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [251067.646165] Tainted: [W]=WARN\n [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n [251067.649984] Code: f0 48 0f (...)\n [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n [251067.661972] Call Trace:\n [251067.662292] <TASK>\n [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]\n [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n [251067.665238] ? _raw_spin_unlock+0x15/0x30\n [251067.665837] ? record_root_\n---truncated---"}], "id": "CVE-2026-43361", "lastModified": "2026-05-08T15:16:46.980", "metrics": {}, "published": "2026-05-08T15:16:46.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"created": "2026-05-08T16:15:12.713556+00:00", "updated": "2026-05-08T16:15:12.713566+00:00", "vendors": [], "weaknesses": ["CWE-190"]}