External risk intelligence

Linux kernel btrfs could allow internal attacker to crash the system

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-43117

An internal attacker with existing system access can exploit a vulnerability in the Linux kernel’s Btrfs storage component to trigger an unrecoverable system crash. This could cause unexpected service outages and disrupt critical business operations reliant on this storage technology.

1Halo Surface Signal

Linux Kernel

4.8 to before 6.6.1366.7 to before 6.12.836.13 to before 6.18.246.19 to before 6.19.147.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-43117

This vulnerability occurs within the Linux kernel Btrfs filesystem logic and requires an attacker to already have local system access to trigger the flaw via file synchronization commands. It is a local-only component that lacks any network-exposed interface, meaning it is not reachable via the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in the Linux kernel can cause a system crash when using the btrfs filesystem with overlayfs. If triggered, it could prevent the system from operating normally.

  • Affects Linux kernel btrfs.
  • Can lead to system crashes.
  • Requires specific filesystem configurations.

Attack Path

How an attacker could exploit the issue

An attacker with local access could trigger a crash by leveraging the interaction between overlay filesystems and the Btrfs tracepoint logic. This flaw can be abused to achieve denial of service on a system running a vulnerable Linux kernel.

  • Requires local access.
  • Triggers on file sync operation.
  • Overlay filesystem on Btrfs is key.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Linux kernel's Btrfs filesystem tracepoints appears unlikely to be weaponized by external attackers. Its complexity and requirement for local access limit its appeal, as there are typically easier avenues for compromise.

  • Local privilege escalation target.
  • No public exploit code.
  • Fix is recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected Linux kernel versions to address the critical vulnerability. If patching is delayed, isolate systems using btrfs with overlayfs, and implement enhanced monitoring for filesystem corruption or unexpected crashes.

  • Deploy Linux kernel patches.
  • Isolate btrfs systems using overlayfs.
  • Monitor for filesystem crashes.

Frequently asked questions

What is the Linux kernel and what is Btrfs?

The Linux kernel is the core of the Linux operating system, managing hardware and software resources. Btrfs (B-tree File System) is a modern copy-on-write filesystem for Linux, designed for features like snapshots and data integrity.

What is CVE-2026-43117 and what kind of weakness does it represent?

CVE-2026-43117 is a vulnerability in the Linux kernel's Btrfs filesystem. It's related to how tracepoints retrieve superblock information, which, when combined with overlay filesystems, can lead to incorrect assignments and system crashes.

How can CVE-2026-43117 be triggered, and what does not trigger it?

This vulnerability is triggered when the overlay filesystem is used on top of Btrfs, and a specific file synchronization event occurs within the `btrfs_sync_file()` tracepoint. It does not trigger if only Btrfs is used without overlayfs, or if the specific file synchronization operation is not performed.

Who should be concerned about this Linux kernel vulnerability?

Organizations running Linux systems that utilize the Btrfs filesystem with overlayfs should be concerned. The Halo Surface Signal indicates this is a local-only issue, meaning an attacker needs to already have some level of access to the system to exploit it, rather than being able to attack over the internet.

What is the first step to address this threat advisory for Linux?

The most important first step is to update the Linux kernel to a version that includes the fix for CVE-2026-43117. If immediate patching is not possible, consider isolating systems that use Btrfs with overlayfs.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified