Allocation of Resources Without Limits or Throttling in Linux kernel - CVE-2026-43361
Published: May 9, 2026
Vulnerability identifier: #VU130830
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43361
CWE-ID: CWE-770
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of item size limits in btrfs snapshot creation for received subvolumes when snapshotting a previously received subvolume repeatedly. A local user can create many snapshots of a received subvolume to cause a denial of service.
The issue can abort a transaction and force the filesystem into read-only mode. Exploitation does not require CAP_SYS_ADMIN and relies on operations permitted by inode_owner_or_capable().
How to mitigate CVE-2026-43361
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a
- https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b
- https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a
- https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238
- https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a
- https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6