CVE-2026-43361: Linux Kernel DOS Vulnerability

CVE-2026-43361 Overview

CVE-2026-43361 is a denial-of-service vulnerability in the Linux kernel btrfs filesystem. A local user with inode_owner_or_capable() privileges can trigger a transaction abort by repeatedly snapshotting a previously received subvolume. The repeated operations eventually overflow the BTRFS_UUID_KEY_RECEIVED_SUBVOL item, exceeding the maximum item size storable in a B-tree leaf. When the overflow occurs, btrfs aborts the transaction and forces the filesystem into read-only mode. The flaw does not require CAP_SYS_ADMIN, allowing a malicious unprivileged user with subvolume ownership to disrupt a shared system. The affected component is the kernel btrfs module.

Critical Impact

A local user can force the btrfs filesystem into read-only mode without root privileges, causing service disruption on shared multi-tenant Linux systems.

Affected Products

• Linux Kernel (multiple stable branches prior to fix)
• Linux Kernel 7.0-rc1, 7.0-rc2, 7.0-rc3
• Distributions shipping vulnerable btrfs module versions

Discovery Timeline

• 2026-05-08 - CVE-2026-43361 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43361

Vulnerability Analysis

The vulnerability resides in the btrfs snapshot creation path, specifically create_pending_snapshot() in fs/btrfs/transaction.c. When a user snapshots a subvolume that has a received_uuid set, btrfs inserts a BTRFS_UUID_KEY_RECEIVED_SUBVOL item into the UUID tree. Each new snapshot of a received subvolume appends an additional entry to this UUID item. Repeated snapshots cause the item to grow until it exceeds the maximum size that fits in a single B-tree leaf.

When the insertion fails with error -75 (EOVERFLOW), the transaction is aborted and the filesystem transitions to read-only mode. The reproducer demonstrates this occurs after roughly 496 snapshots on a filesystem using 4K node size.

The issue is categorized as a kernel-level denial-of-service [CWE-NVD-noinfo] stemming from missing boundary validation on UUID item growth.

Root Cause

The btrfs code does not check whether appending another received-subvolume entry to the UUID item would exceed the leaf-size limit. The kernel calls btrfs_uuid_tree_add() unconditionally during snapshot creation. When the resulting item exceeds the maximum item size, the B-tree code returns an error, but the snapshot path treats this condition as a fatal transaction error rather than a recoverable user-input error.

Attack Vector

Exploitation requires local access and ownership of a btrfs subvolume that has been received via btrfs receive. The attacker repeatedly invokes btrfs subvolume snapshot -r against the received subvolume. Because snapshot, send, set_received_subvol, and subvol_setflags operations only require inode_owner_or_capable() rather than CAP_SYS_ADMIN, an unprivileged user can trigger the abort if they own a received subvolume. The reproducer script in the kernel commit message creates the condition with approximately 500 iterations on a small-node-size filesystem.

No verified exploit code is published beyond the reproducer included in the upstream kernel commit. See the Kernel Git Commit Log for the patch and reproducer details.

Detection Methods for CVE-2026-43361

Indicators of Compromise

• Kernel log entries containing BTRFS warning (device <dev>): insert uuid item failed -75 indicating UUID item overflow.
• Kernel warnings referencing Transaction aborted (error -75) from create_pending_snapshot.cold in fs/btrfs/transaction.c.
• Btrfs filesystem transitioning to read-only mode unexpectedly, with userspace errors such as Read-only file system from btrfs subvolume snapshot.
• Unusually high volume of btrfs subvolume snapshot operations against a subvolume carrying a received_uuid.

Detection Strategies

• Monitor dmesg and /var/log/kern.log for the specific insert uuid item failed -75 warning string and transaction abort messages.
• Audit btrfs command invocations using Linux audit (auditd) rules on the btrfs binary or relevant ioctls (BTRFS_IOC_SNAP_CREATE_V2).
• Track filesystem state transitions to read-only by monitoring /proc/mounts and mount option changes.
• Correlate snapshot creation rate per user against baseline activity to flag automated abuse.

Monitoring Recommendations

• Ingest kernel logs into a centralized SIEM and alert on btrfs transaction abort signatures.
• Track per-user snapshot creation counts against received subvolumes over short time windows.
• Inventory hosts running btrfs root or data filesystems and prioritize patch status reporting.

How to Mitigate CVE-2026-43361

Immediate Actions Required

• Apply the upstream btrfs fix once available in your distribution's stable kernel update channel.
• Restrict ownership of received subvolumes to trusted accounts on multi-user systems.
• Limit unprivileged user access to btrfs subvolume management commands on shared hosts.
• Enable kernel log monitoring to detect transaction-abort signatures early.

Patch Information

The vulnerability is resolved by upstream btrfs commits applied across multiple stable trees. Refer to the kernel git commits at 6bce705b, 770af8e4, 9a9227b4, bac55dde, e1b18b95, and e3d8efc1. Update to the patched stable kernel release shipped by your Linux distribution.

Workarounds

• Avoid taking large numbers of snapshots of subvolumes that have a non-zero received_uuid until kernels are patched.
• Restrict btrfs subcommands for non-administrative users via filesystem permissions or mandatory access controls (SELinux, AppArmor).
• Increase nodesize at mkfs time on new filesystems to raise the threshold before overflow occurs (mitigation only, not a fix).

# Example: verify running kernel and patch status on Debian-based systems
uname -r
apt-cache policy linux-image-$(uname -r)

# Example: restrict btrfs CLI to root only as a temporary measure
chmod 750 /usr/bin/btrfs
chown root:root /usr/bin/btrfs