CVE-2026-43338 Overview
CVE-2026-43338 is a Linux kernel vulnerability in the btrfs filesystem's qgroup (quota group) ioctl handlers. The qgroup ioctls join a transaction without reserving space for quota tree updates or the delayed refs generated when updating the quota tree. Under sustained qgroup operations, the kernel exhausts the global block reserve and aborts the transaction with -ENOSPC when running delayed refs. This results in a filesystem-level transaction abort affecting availability on the affected mount.
Critical Impact
A local user with permission to invoke btrfs qgroup ioctls can trigger a transaction abort, causing the filesystem to enter an error state and disrupting availability of the btrfs volume.
Affected Products
- Linux Kernel (mainline, including 7.0-rc1 through 7.0-rc4)
- Linux Kernel stable branches prior to fixed commits
- Distributions shipping btrfs with unpatched kernels
Discovery Timeline
- 2026-05-08 - CVE-2026-43338 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43338
Vulnerability Analysis
The defect resides in the btrfs qgroup ioctl path. When userspace invokes a qgroup-related ioctl such as creating, removing, or assigning a qgroup, the kernel calls btrfs_join_transaction() rather than btrfs_start_transaction() with a calculated reservation. A transaction join allocates no block reservation for the upcoming quota tree mutations or for the delayed references those mutations generate.
The quota root falls back to the global block reserve to complete its writes. This works under light load but is unsafe when many qgroup operations accumulate within a single transaction, particularly with long commit intervals. The reproducer in the upstream commit message creates 400,000 qgroups under commit=600, which depletes the global reserve and triggers WARNING in btrfs_run_delayed_refs+0xd9/0x110 followed by a transaction abort.
Root Cause
The root cause is missing space reservation in the btrfs qgroup ioctl handlers. The code path performs a transaction join without accounting for the metadata cost of updating the quota tree and the delayed ref records produced by those updates. The global block reserve is treated as an unconditional safety net rather than a last-resort allocator [NVD-CWE-noinfo].
Attack Vector
Exploitation requires local access and the privilege to invoke btrfs qgroup ioctls on a mounted btrfs filesystem with quotas enabled. An attacker scripts a high volume of btrfs qgroup create or related ioctl calls within one transaction window, exhausts the global reserve, and forces btrfs_run_delayed_refs() to return -ENOSPC. The transaction aborts and the filesystem transitions to a read-only error state until remount or reboot. The flaw does not yield code execution, memory disclosure, or privilege escalation.
The vulnerability is described in prose; verified exploitation code is limited to the reproducer shell script in the upstream commit. See the Kernel Git Commit f9a4e30 for the authoritative fix.
Detection Methods for CVE-2026-43338
Indicators of Compromise
- Kernel log entries containing BTRFS error (device <dev>): failed to run delayed ref with error code -28 (-ENOSPC).
- BTRFS: Transaction aborted (error -28) messages followed by a WARNING at fs/btrfs/extent-tree.c in btrfs_run_delayed_refs.
- Affected btrfs filesystems transitioning to read-only at runtime without disk capacity exhaustion.
Detection Strategies
- Parse /var/log/messages, journalctl -k, or syslog for the specific Transaction aborted and failed to run delayed ref strings on hosts using btrfs with quotas enabled.
- Audit process execution for sustained or scripted btrfs qgroup create, btrfs qgroup assign, or equivalent ioctl activity from non-administrative users.
- Correlate filesystem read-only transitions with preceding qgroup ioctl bursts to attribute outages to this defect.
Monitoring Recommendations
- Alert on btrfs kernel error and warning events through your existing log pipeline.
- Monitor btrfs filesystem usage and global reserve metrics on production btrfs hosts using quotas.
- Track invocations of /usr/bin/btrfs qgroup * subcommands and flag unusual frequency from interactive shells.
How to Mitigate CVE-2026-43338
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the NVD advisory and reboot affected hosts.
- Restrict access to btrfs management utilities so that only administrators can issue qgroup ioctls on production volumes.
- Where patching is delayed, evaluate whether btrfs quotas are required; disabling quotas removes the affected code path.
Patch Information
The fix reserves sufficient transaction items for qgroup ioctls so that quota tree updates and the delayed refs they generate no longer depend on the global block reserve. The corrective commits are Kernel Git Commit 386f5e1, Kernel Git Commit bb6eb33, Kernel Git Commit cf930a6, and Kernel Git Commit f9a4e30. Consume the fix through your distribution's kernel update channel.
Workarounds
- Disable btrfs quota groups on affected volumes with btrfs quota disable <mount> if quotas are not operationally required.
- Avoid bulk qgroup operations on production hosts and keep the transaction commit interval at its default rather than extending it with commit=.
- Restrict btrfs ioctl access to trusted administrators using filesystem permissions and sudo policy.
# Configuration example - disable qgroups as a temporary workaround
btrfs quota disable /mnt/data
# Verify quotas are disabled
btrfs qgroup show /mnt/data 2>&1 | grep -i "quotas not enabled"
# After patching, re-enable if required
# btrfs quota enable /mnt/data
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
