CVE-2026-43338

EUVD-2026-28622

08.05.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reserve enough transaction items for qgroup ioctls

Currently our qgroup ioctls don't reserve any space, they just do a
transaction join, which does not reserve any space, neither for the quota
tree updates nor for the delayed refs generated when updating the quota
tree. The quota root uses the global block reserve, which is fine most of
the time since we don't expect a lot of updates to the quota root, or to
be too close to -ENOSPC such that other critical metadata updates need to
resort to the global reserve.

However this is not optimal, as not reserving proper space may result in a
transaction abort due to not reserving space for delayed refs and then
abusing the use of the global block reserve.

For example, the following reproducer (which is unlikely to model any
real world use case, but just to illustrate the problem), triggers such a
transaction abort due to -ENOSPC when running delayed refs:

  $ cat test.sh
  #!/bin/bash

  DEV=/dev/nullb0
  MNT=/mnt/nullb0

  umount $DEV &> /dev/null
  # Limit device to 1G so that it's much faster to reproduce the issue.
  mkfs.btrfs -f -b 1G $DEV
  mount -o commit=600 $DEV $MNT

  fallocate -l 800M $MNT/filler
  btrfs quota enable $MNT

  for ((i = 1; i <= 400000; i++)); do
      btrfs qgroup create 1/$i $MNT
  done

  umount $MNT

When running this, we can see in dmesg/syslog that a transaction abort
happened:

  [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28
  [436.493] ------------[ cut here ]------------
  [436.494] BTRFS: Transaction aborted (error -28)
  [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372
  [436.497] Modules linked in: btrfs loop (...)
  [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G        W           6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
  [436.510] Tainted: [W]=WARN
  [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
  [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]
  [436.514] Code: 0f 82 ea (...)
  [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292
  [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001
  [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80
  [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867
  [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400
  [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000
  [436.526] FS:  00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000
  [436.527] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0
  [436.530] Call Trace:
  [436.530]  <TASK>
  [436.530]  btrfs_commit_transaction+0x73/0xc00 [btrfs]
  [436.531]  ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]
  [436.532]  sync_filesystem+0x7a/0x90
  [436.533]  generic_shutdown_super+0x28/0x180
  [436.533]  kill_anon_super+0x12/0x40
  [436.534]  btrfs_kill_super+0x12/0x20 [btrfs]
  [436.534]  deactivate_locked_super+0x2f/0xb0
  [436.534]  cleanup_mnt+0xea/0x180
  [436.535]  task_work_run+0x58/0xa0
  [436.535]  exit_to_user_mode_loop+0xed/0x480
  [436.536]  ? __x64_sys_umount+0x68/0x80
  [436.536]  do_syscall_64+0x2a5/0xf20
  [436.537]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
  [436.537] RIP: 0033:0x7fe5906b6217
  [436.538] Code: 0d 00 f7 (...)
  [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
  [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217
  [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100
  [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff
  [436.544] R10: 0000000000000103 R11: 
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.6 ≤ 𝑥 < 6.12.81
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.22
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.12
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.94-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

dlm-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

gfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 12 SP5	4.12.14-122.317.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1.150700.17.35.4 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1.150700.17.35.4 fixed
suse enterprise server 12 SP5	4.12.14-122.317.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1.150700.17.35.4 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.2 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 12 SP5	4.12.14-122.317.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.60.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.60.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.317.1

fixed

Amazon Linux Releases

Amazon Package

Release

bpftool6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel-livepatch-6.12.83-113.160

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.25-52.107

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-52.107.amzn2023

fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen, möglicherweise Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-10T22:00:00+00:00

References

https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3

https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8

https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c

https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e