SB2026050938 - Allocation of Resources Without Limits or Throttling in Linux kernel btrfs
Published: May 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-43361)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of item size limits in btrfs snapshot creation for received subvolumes when snapshotting a previously received subvolume repeatedly. A local user can create many snapshots of a received subvolume to cause a denial of service.
The issue can abort a transaction and force the filesystem into read-only mode. Exploitation does not require CAP_SYS_ADMIN and relies on operations permitted by inode_owner_or_capable().
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a
- https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b
- https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a
- https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238
- https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a
- https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6