CVE-2026-43308 Overview
CVE-2026-43308 affects the Linux kernel's btrfs filesystem implementation. The vulnerability resides in the run_one_delayed_ref() function, which invokes BUG() when it encounters an unexpected delayed reference type. Triggering this code path crashes the kernel instead of returning a recoverable error to the caller. The upstream fix replaces the BUG() call with an error return and a logged error message. The issue requires local access with low privileges and produces a high availability impact through kernel panic.
Critical Impact
A local authenticated user can trigger a kernel BUG() in the btrfs delayed reference handler, causing a system crash and denial of service on affected Linux hosts.
Affected Products
- Linux kernel (btrfs filesystem subsystem)
- Distributions shipping vulnerable mainline and stable kernel versions
- Systems mounting btrfs volumes accessible to local users
Discovery Timeline
- 2026-05-08 - CVE-2026-43308 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43308
Vulnerability Analysis
The btrfs filesystem maintains delayed references that are processed by run_one_delayed_ref() during transaction commits and reference counting operations. The function previously invoked BUG() when the delayed reference type did not match an expected value. BUG() triggers an immediate kernel panic on configurations where panic_on_oops is enabled, and otherwise produces an oops that leaves the kernel in an unrecoverable state for that task.
The upstream patches at commits 5549743e11c06da23cfa7712a994b9f1e69064c6 and c7d1d4ff56744074e005771aff193b927392d51f convert the unconditional BUG() into an error return paired with an error log message. The caller chain in btrfs transaction handling can then propagate the failure rather than halting the kernel.
This is a kernel availability defect [NVD-CWE-noinfo] rather than a memory corruption or privilege escalation flaw. Confidentiality and integrity are not impacted under the published CVSS vector.
Root Cause
The root cause is defensive use of BUG() for an unexpected runtime condition that is reachable from filesystem state. Any code path that produces a delayed reference structure with an unrecognized type reaches the BUG() site and crashes the kernel instead of failing gracefully.
Attack Vector
The attack vector is local. A user able to influence btrfs metadata or operate on a crafted btrfs image, for example through mounting or filesystem operations on a controlled volume, can drive the delayed reference handler into the unexpected type path. Successful exploitation produces a kernel crash and terminates all workloads on the affected host.
No public exploit code or proof-of-concept is listed for CVE-2026-43308, and CISA has not added it to the Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-43308
Indicators of Compromise
- Kernel panic or oops messages referencing run_one_delayed_ref in dmesg or /var/log/kern.log
- Unexpected reboots on hosts mounting btrfs volumes from untrusted sources
- Crash dumps showing btrfs transaction commit paths on the panicking CPU
Detection Strategies
- Compare running kernel version against vendor advisories that reference commits 5549743e11c06da23cfa7712a994b9f1e69064c6 and c7d1d4ff56744074e005771aff193b927392d51f.
- Inventory hosts that mount btrfs filesystems, particularly those exposing mount or loop device operations to non-root users.
- Audit recent kernel crash artifacts under /var/crash for stack traces involving btrfs delayed reference processing.
Monitoring Recommendations
- Forward kern.log and journald kernel facility events to a central log store and alert on BUG: or Oops: entries containing btrfs.
- Monitor uptime regressions and unscheduled reboots on Linux fleet members running btrfs root or data volumes.
- Track btrfs mount events involving removable media or user-supplied images.
How to Mitigate CVE-2026-43308
Immediate Actions Required
- Apply the stable kernel update containing commits 5549743e11c06da23cfa7712a994b9f1e69064c6 and c7d1d4ff56744074e005771aff193b927392d51f from your distribution.
- Restrict mounting of btrfs filesystems from untrusted sources to administrators only.
- Disable automatic mounting of removable media on multi-user Linux systems where btrfs is supported.
Patch Information
The fix is published in the upstream Linux stable tree. Reference the Linux stable commit 5549743e and the Linux stable commit c7d1d4ff for the exact source changes. Distribution vendors will ship the corrected behavior in their next kernel security update; install vendor-provided kernel packages and reboot affected hosts.
Workarounds
- Avoid mounting btrfs images from untrusted users until the patched kernel is deployed.
- Use mount option restrictions and udev rules to block non-administrative users from invoking mount on btrfs volumes.
- Where btrfs is not required, prefer ext4 or xfs for workloads that accept user-supplied disk images.
# Verify running kernel and check for the fixed commits in your distribution changelog
uname -r
rpm -q --changelog kernel | grep -E '5549743e|c7d1d4ff' # RHEL/Fedora
apt changelog linux-image-$(uname -r) | grep -E '5549743e|c7d1d4ff' # Debian/Ubuntu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
