CVE-2026-43046

Source
https://cve.org/CVERecord?id=CVE-2026-43046
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43046.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43046
Downstream
Published
2026-05-01T14:15:41.849Z
Modified
2026-07-08T08:02:43.526343125Z
Summary
btrfs: reject root items with drop_progress and zero drop_level
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reject root items with dropprogress and zero droplevel

[BUG] When recovering relocation at mount time, mergerelocroot() and btrfsdropsnapshot() both use BUGON(level == 0) to guard against an impossible state: a non-zero dropprogress combined with a zero droplevel in a rootitem, which can be triggered:

------------[ cut here ]------------ kernel BUG at fs/btrfs/relocation.c:1545! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary) Tainted: [O]=OOTMODULE, [E]=UNSIGNEDMODULE Hardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2 RIP: 0010:mergerelocroot+0x1266/0x1650 fs/btrfs/relocation.c:1545 Code: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000 Call Trace: mergerelocroots+0x295/0x890 fs/btrfs/relocation.c:1861 btrfsrecoverrelocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195 btrfsstartprerwmount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130 openctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640 btrfsfillsuper fs/btrfs/super.c:987 [inline] btrfsgettreesuper fs/btrfs/super.c:1951 [inline] btrfsgettreesubvol fs/btrfs/super.c:2094 [inline] btrfsgettree+0x111c/0x2190 fs/btrfs/super.c:2128 vfsgettree+0x9a/0x370 fs/super.c:1758 fcmount fs/namespace.c:1199 [inline] donewmountfc fs/namespace.c:3642 [inline] donewmount fs/namespace.c:3718 [inline] pathmount+0x5b8/0x1ea0 fs/namespace.c:4028 do_mount fs/namespace.c:4041 [inline] __dosysmount fs/namespace.c:4229 [inline] __sesysmount fs/namespace.c:4206 [inline] __x64sysmount+0x282/0x320 fs/namespace.c:4206 ... RIP: 0033:0x7f969c9a8fde Code: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f ---[ end trace 0000000000000000 ]---

The bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic metadata fuzzing tool that corrupts btrfs metadata at runtime.

[CAUSE] A non-zero dropprogress.objectid means an interrupted btrfsdropsnapshot() left a resume point on disk, and in that case droplevel must be greater than 0 because the checkpoint is only saved at internal node levels.

Although this invariant is enforced when the kernel writes the root item, it is not validated when the root item is read back from disk. That allows on-disk corruption to provide an invalid state with dropprogress.objectid != 0 and droplevel == 0.

When relocation recovery later processes such a root item, mergerelocroot() reads droplevel and hits BUGON(level == 0). The same invalid metadata can also trigger the corresponding BUGON() in btrfsdrop_snapshot().

[FIX] Fix this by validating the rootitem invariant in tree-checker when reading root items from disk: if dropprogress.objectid is non-zero, droplevel must also be non-zero. Reject such malformed metadata with -EUCLEAN before it reaches mergerelocroot() or btrfsdropsnapshot() and triggers the BUGON.

After the fix, the same corruption is correctly rejected by tree-checker and the BUG_ON is no longer triggered.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43046.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9f3a742736cecda5a8778be70faa2f779458839f
Fixed
bedaf7d0b9d793e116f16b4d9a7dbc94bcc80443
Fixed
ac68a9a8e481ab1becaed29d6d23087dac3de15d
Fixed
295f8075d00442d71dc9ccae421ace1c0d2d9224
Fixed
53ceedd1eb6280ca8359664e0226983eded2ed73
Fixed
850de3d87f4720b71ccdcd44f4aa57e46b53a3f3
Fixed
de585ee18dd5601745f65a60fef7b7ceebd78c83
Fixed
b17b79ff896305fd74980a5f72afec370ee88ca4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43046.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.29
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43046.json"