HOMEVULNERABILITIESCVE-2026-43299
NONE

CVE-2026-43299

Published: May 8, 2026· Updated: May 12, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()

[BUG]

There is a bug report that when btrfs hits ENOSPC error in a critical

path, btrfs flips RO (this part is expected, although the ENOSPC bug

still needs to be addressed).

The problem is after the RO flip, if there is a read repair pending, we

can hit the ASSERT() inside btrfs_repair_io_failure() like the following:

BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1

------------[ cut here ]------------

BTRFS: Transaction aborted (error -28)

WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844

Modules linked in: kvm_intel kvm irqbypass

[...]

---[ end trace 0000000000000000 ]---

BTRFS info (device vdc state EA): 2 enospc errors during balance

BTRFS info (device vdc state EA): balance: ended with status: -30

BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6

BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0

[...]

assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938

------------[ cut here ]------------

assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938

kernel BUG at fs/btrfs/bio.c:938!

Oops: invalid opcode: 0000 [#1] SMP NOPTI

CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full)

Tainted: [W]=WARN, [N]=TEST

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014

Workqueue: btrfs-endio simple_end_io_work

RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120

RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246

RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff

RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988

R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310

R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000

FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

------------[ cut here ]------------

[CAUSE]

The cause of -ENOSPC error during the test case btrfs/124 is still

unknown, although it's known that we still have cases where metadata can

be over-committed but can not be fulfilled correctly, thus if we hit

such ENOSPC error inside a critical path, we have no choice but abort

the current transaction.

This will mark the fs read-only.

The problem is inside the btrfs_repair_io_failure() path that we require

the fs not to be mount read-only. This is normally fine, but if we are

doing a read-repair meanwhile the fs flips RO due to a critical error,

we can enter btrfs_repair_io_failure() with super block set to

read-only, thus triggering the above crash.

[FIX]

Just replace the ASSERT() with a proper return if the fs is already

read-only.

NVD Source

Technical Analysis

CVE-2026-43299 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-43299
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43299 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.