In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject root items with dropprogress and zero droplevel
[BUG] When recovering relocation at mount time, mergerelocroot() and btrfsdropsnapshot() both use BUGON(level == 0) to guard against an impossible state: a non-zero dropprogress combined with a zero droplevel in a rootitem, which can be triggered:
------------[ cut here ]------------ kernel BUG at fs/btrfs/relocation.c:1545! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary) Tainted: [O]=OOTMODULE, [E]=UNSIGNEDMODULE Hardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2 RIP: 0010:mergerelocroot+0x1266/0x1650 fs/btrfs/relocation.c:1545 Code: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000 Call Trace: mergerelocroots+0x295/0x890 fs/btrfs/relocation.c:1861 btrfsrecoverrelocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195 btrfsstartprerwmount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130 openctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640 btrfsfillsuper fs/btrfs/super.c:987 [inline] btrfsgettreesuper fs/btrfs/super.c:1951 [inline] btrfsgettreesubvol fs/btrfs/super.c:2094 [inline] btrfsgettree+0x111c/0x2190 fs/btrfs/super.c:2128 vfsgettree+0x9a/0x370 fs/super.c:1758 fcmount fs/namespace.c:1199 [inline] donewmountfc fs/namespace.c:3642 [inline] donewmount fs/namespace.c:3718 [inline] pathmount+0x5b8/0x1ea0 fs/namespace.c:4028 do_mount fs/namespace.c:4041 [inline] __dosysmount fs/namespace.c:4229 [inline] __sesysmount fs/namespace.c:4206 [inline] __x64sysmount+0x282/0x320 fs/namespace.c:4206 ... RIP: 0033:0x7f969c9a8fde Code: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f ---[ end trace 0000000000000000 ]---
The bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic metadata fuzzing tool that corrupts btrfs metadata at runtime.
[CAUSE] A non-zero dropprogress.objectid means an interrupted btrfsdropsnapshot() left a resume point on disk, and in that case droplevel must be greater than 0 because the checkpoint is only saved at internal node levels.
Although this invariant is enforced when the kernel writes the root item, it is not validated when the root item is read back from disk. That allows on-disk corruption to provide an invalid state with dropprogress.objectid != 0 and droplevel == 0.
When relocation recovery later processes such a root item, mergerelocroot() reads droplevel and hits BUGON(level == 0). The same invalid metadata can also trigger the corresponding BUGON() in btrfsdrop_snapshot().
[FIX] Fix this by validating the rootitem invariant in tree-checker when reading root items from disk: if dropprogress.objectid is non-zero, droplevel must also be non-zero. Reject such malformed metadata with -EUCLEAN before it reaches mergerelocroot() or btrfsdropsnapshot() and triggers the BUGON.
After the fix, the same corruption is correctly rejected by tree-checker and the BUG_ON is no longer triggered.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43046.json",
"cna_assigner": "Linux"
}