CVE-2026-43299
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure() [BUG] There is a bug report that when btrfs hits ENOSPC error in a critical path, btrfs flips RO (this part is expected, although the ENOSPC bug still needs to be addressed). The problem is after the RO flip, if there is a read repair pending, we can hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844 Modules linked in: kvm_intel kvm irqbypass [...] ---[ end trace 0000000000000000 ]--- BTRFS info (device vdc state EA): 2 enospc errors during balance BTRFS info (device vdc state EA): balance: ended with status: -30 BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6 BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0 [...] assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 ------------[ cut here ]------------ assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 kernel BUG at fs/btrfs/bio.c:938! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full) Tainted: [W]=WARN, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Workqueue: btrfs-endio simple_end_io_work RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120 RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246 RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988 R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310 R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000 FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ------------[ cut here ]------------ [CAUSE] The cause of -ENOSPC error during the test case btrfs/124 is still unknown, although it's known that we still have cases where metadata can be over-committed but can not be fulfilled correctly, thus if we hit such ENOSPC error inside a critical path, we have no choice but abort the current transaction. This will mark the fs read-only. The problem is inside the btrfs_repair_io_failure() path that we require the fs not to be mount read-only. This is normally fine, but if we are doing a read-repair meanwhile the fs flips RO due to a critical error, we can enter btrfs_repair_io_failure() with super block set to read-only, thus triggering the above crash. [FIX] Just replace the ASSERT() with a proper return if the fs is already read-only.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Affected
| Vendor | Product | Version |
|---|---|---|
| microsoft | Windows Server 2012 | |
| microsoft | Windows Server 2012 (Server Core installation) | |
| microsoft | Windows Server 2012 R2 | |
| microsoft | Windows Server 2012 R2 (Server Core installation) | |
| microsoft | Microsoft Excel 2016 (32-bit edition) | |
| microsoft | Microsoft Excel 2016 (64-bit edition) | |
| microsoft | Microsoft Word 2016 (32-bit edition) | |
| microsoft | Microsoft Word 2016 (64-bit edition) | |
| microsoft | Microsoft Office 2016 (32-bit edition) | |
| microsoft | Microsoft Office 2016 (64-bit edition) | |
| microsoft | Windows Server 2016 | |
| microsoft | Office Online Server | |
| microsoft | Windows 10 Version 1607 for 32-bit Systems | |
| microsoft | Windows 10 Version 1607 for x64-based Systems | |
| microsoft | Windows Server 2016 (Server Core installation) | |
| microsoft | Microsoft SharePoint Enterprise Server 2016 | |
| microsoft | Microsoft SQL Server 2017 for x64-based Systems (GDR) | |
| microsoft | Windows 10 Version 1809 for 32-bit Systems | |
| microsoft | Windows 10 Version 1809 for x64-based Systems | |
| microsoft | Windows Server 2019 | |
| microsoft | Windows Server 2019 (Server Core installation) | |
| microsoft | Microsoft Office 2019 for 32-bit editions | |
| microsoft | Microsoft Office 2019 for 64-bit editions | |
| microsoft | Microsoft SharePoint Server 2019 | |
| microsoft | Visual Studio Code | |
| microsoft | Windows Admin Center | |
| microsoft | Microsoft .NET Framework 4.8 on Windows Server 2012 | |
| microsoft | Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | |
| microsoft | Microsoft .NET Framework 4.8 on Windows Server 2016 | |
| microsoft | Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 6.19.6-1 |
| debian | sid | fixed | 6.19.6-1 |
| debian | trixie | affected | |
| linux-kernel | affected | 6.19.6 | |
| windows | affected | |
References
- https://git.kernel.org/stable/c/8ceaad6cd6e7fa5f73b0b2796a2e85d75d37e9f3
- https://git.kernel.org/stable/c/f6df18c001e3dcebc08482d0adeacd0cfea08593
- https://www.suse.com/security/cve/CVE-2026-43299.html
- https://security-tracker.debian.org/tracker/CVE-2026-43299
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43299
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.