PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45934 Linux CVE debrief

A logic flaw in the Linux kernel's Btrfs filesystem can cause chunk allocation to produce overlapping physical extents, leading to transaction aborts with EEXIST (-17) errors. The vulnerability manifests when non-consecutive gaps exist in chunk allocation, particularly affecting DUP (duplicate) chunk types and forced chunk allocation (CONFIG_BTRFS_EXPERIMENTAL). When triggered, the filesystem aborts the transaction in btrfs_create_pending_block_groups() at insert_dev_extents(), potentially causing filesystem unavailability. The issue was resolved by correcting the chunk allocation logic to properly handle gaps and prevent overlapping stripe allocations.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running Btrfs filesystems, particularly those with CONFIG_BTRFS_EXPERIMENTAL enabled; kernel maintainers and distribution security teams responsible for stable kernel updates; storage infrastructure operators using Btrfs for production workloads

Technical summary

The Btrfs filesystem driver in the Linux kernel contains a flaw in chunk allocation where non-consecutive gaps can cause overlapping physical extent assignments. When allocating DUP (duplicate) chunks—particularly through forced chunk allocation enabled by CONFIG_BTRFS_EXPERIMENTAL—the allocation logic may assign the same physical region to multiple stripes. This results in insert_dev_extents() returning EEXIST (-17) during btrfs_create_pending_block_groups(), triggering a transaction abort. The drgn analysis shows overlapping patterns where stripe 1 of chunk N occupies the same physical address range as stripe 0 of chunk N+1. The fix corrects the gap handling in chunk allocation to ensure physical extents remain non-overlapping.

Defensive priority

high

Recommended defensive actions

  • Apply the relevant stable kernel patches from the 6.x stable series once available for your distribution
  • Monitor Btrfs filesystem logs for 'BTRFS: Transaction aborted (error -17)' messages indicating potential trigger conditions
  • Avoid using CONFIG_BTRFS_EXPERIMENTAL forced chunk allocation on production systems until patched
  • If experiencing transaction aborts, capture filesystem metadata with 'btrfs inspect-internal dump-super' and 'btrfs inspect-internal dump-tree' for analysis before any recovery attempts
  • Consider filesystem scrub operations after patching to verify extent consistency

Evidence notes

The vulnerability description includes a kernel stack trace showing the abort path through btrfs_create_pending_block_groups() and drgn analysis revealing overlapping chunk_maps where stripe 1 of one chunk overlaps physically with stripe 0 of another chunk. The fix is confirmed through stable kernel git commits.

Official resources

2026-05-27