A critical flaw in the Linux kernel's Btrfs file system, tracked as CVE-2026-45934, can trigger transaction aborts and jeopardize data integrity when using the DUP metadata profile. The vulnerability, disclosed by kernel.org and published by the National Vulnerability Database on May 27, 2026, stems from a logic error in chunk allocation that allows pending extents to overlap, ultimately leading to a -EEXIST btrfs transaction abort.

The bug affects systems where new chunk allocations are made while previous allocations remain pending—a scenario that can arise during heavy metadata operations or disk space balancing. When DUP (duplicate) chunk allocation is attempted, the kernel fails to properly account for non-consecutive pending extents, causing it to mistakenly allocate a chunk that overlaps an existing pending location. The result is an irrecoverable transaction error, forcing the file system into read-only mode to prevent further damage.

Understanding Btrfs and the DUP Profile

Btrfs (B-tree file system) is a modern copy-on-write file system for Linux, known for its advanced features such as snapshots, compression, and integrated RAID. One of its key strengths is flexible data and metadata redundancy through profiles. The DUP profile, short for duplication, writes two copies of each metadata block on a single device. This provides a degree of self-healing against data corruption, as one copy can be used to repair the other if bit rot or bad sectors are detected.

DUP is often the default profile for metadata on single-disk Btrfs volumes, making it extremely common in desktop and server deployments alike. Because metadata integrity is critical to the entire file system, any bug that compromises DUP allocation can have cascading effects, potentially leading to unmountable file systems or irrecoverable data loss.

The Root Cause: Overlapping Pending Allocations

CVE-2026-45934 originates in the kernel's chunk allocation code, specifically in the logic that tracks pending extent regions. When Btrfs allocates a new chunk for DUP metadata, it must ensure that the two copies of the metadata block do not collide with any existing allocations—whether those allocations are committed (on-disk) or still pending in the current transaction.

The flaw lies in how the allocator handles non-consecutive pending allocations. Under certain conditions, when multiple chunk allocations are queued within a single transaction and those pending regions are not contiguous, the allocation function may incorrectly compute the available space. This can cause a new DUP chunk to be placed overlapping an already-pending region. At commit time, the file system detects the duplicate logical address and aborts the transaction with the cryptic error message:

BTRFS: Transaction aborted (error -EEXIST)

The -EEXIST error code indicates that an item (in this case a chunk item) already exists in the extent tree when it shouldn't. This inconsistency is fatal to the transaction, causing Btrfs to immediately switch to error=readonly mode to protect existing data from further corruption.

How the Bug Manifests in Real-World Workloads

Reproducing the issue requires a combination of rapid metadata operations and just the right timing of pending allocations. Common triggers include:

  • Heavy snapshot creation or deletion
  • Intensive subvolume operations
  • Balancing or device maintenance tasks
  • Concurrent file creation in directories with a large number of subvolumes

Users may not see the abort immediately; the file system might continue operating normally until the transaction commit fails. At that point, any application attempting to write to the volume receives an I/O error, and the mount becomes read-only. System logs will show a transaction abort with -EEXIST.

Administrators who reboot or attempt to remount may find that the volume refuses to mount read-write. Recovery often requires manual intervention using btrfs check --repair, which carries its own risks.

Affected Kernel Versions and Setups

The vulnerability exists in the Linux kernel's Btrfs implementation. All kernels that include the vulnerable chunk allocation code are potentially affected, though practical exploitation depends on workload patterns. The bug was introduced in a kernel version where the DUP chunk allocation logic was refined; maintainers have since patched the issue in the mainline kernel.

Affected configurations include:
- Single-disk Btrfs volumes using the DUP metadata profile (most common)
- Multi-device Btrfs volumes where metadata uses DUP on some or all devices
- Systems where mkfs.btrfs defaults to DUP for metadata (which is typical for single-drive filesystems)

Distributions that shipped affected kernel versions include mainstream Linux distributions such as Debian, Ubuntu, Fedora, Arch, and openSUSE. Users can check their kernel version against the security advisory from their distribution.

Technical Deep Dive: The Allocator’s Fatal Oversight

To understand the bug, it helps to examine the Btrfs chunk allocator’s state machine. When the file system needs a new chunk, it reserves a logical address range in the extent allocation tree. If there are multiple pending allocations, they are tracked in a pending list. The allocator must consider these pending addresses as already occupied, even though the actual on-disk extents haven't been committed.

The vulnerability occurs because the pending list is not sorted or merged in a way that accounts for gaps between pending regions. In the DUP case, the allocator needs to find two disjoint sub-regions within the same chunk. A flawed comparison in the search algorithm allows a newly calculated DUP chunk to start inside a gap between two pending allocations, but extend into the next pending region. The function that validates the placement misses this overlap and returns success.

Later, when the transaction is committed, the kernel attempts to insert the chunk item into the extent tree. The insertion fails because the logical address range already has a pending—or recently committed—item with a conflicting key. This triggers the -EEXIST abort.

Kernel developers have since corrected the logic to ensure that the pending extent search properly covers all gaps and that overlapping chunks are rejected during allocation, not at commit time.

Impact on Enterprise and Home Users

For enterprise storage arrays running Btrfs in production, this bug could be catastrophic. A sudden read-only mount on a database or virtual machine storage volume can cause service outages. Because the abort is tied to a metadata inconsistency, simple fixes like unmounting and remounting won't help. Administrators may need to boot from rescue media and perform offline repair using btrfs check --repair, a tool that can potentially make things worse if used incorrectly.

Home users running Linux desktops with Btrfs on root are also at risk. While they may not hit the bug as frequently, heavy use of snapshots (e.g., timeshift or snapper) increases the odds. Once the volume goes read-only, the system becomes unbootable, leaving users stranded without advanced recovery knowledge.

The risk is elevated for systems that frequently balance or resize Btrfs volumes, as these operations generate multiple chunk allocations in short order.

Exploitability and Security Implications

CVE-2026-45934 is rated with a CVSS score of 5.5 (Medium) by the NVD, reflecting a local attack vector and high integrity impact but no privilege escalation. An unprivileged local user can trigger the vulnerability by rapidly creating and deleting files in a way that forces chunk reallocation. While it doesn't give an attacker elevated privileges directly, it can cause denial-of-service or, in worst-case scenarios, force an administrator to run risky disk repair commands—potentially leading to data loss.

The bug is not remotely exploitable without local access. However, in shared hosting environments where users have shell access, a malicious actor could intentionally trigger the abort to disrupt services.

Mitigation and Detection

Until patches are applied, administrators can take steps to reduce the likelihood of hitting this bug:

  • Avoid DUP metadata on single drives—though this is a core feature, switching to single metadata profile eliminates the DUP-specific code path. This change requires rebalancing: btrfs balance start -mconvert=single /mountpoint
  • Limit concurrency—reduce parallel metadata-intensive operations such as simultaneous snapshot creation.
  • Monitor kernel logs—set up alerts for Btrfs transaction abort errors to catch the issue early.
  • Increase transaction commit intervals—using mount option commit=300 (seconds) may reduce the chance of overlapping pending allocations, though it can increase memory pressure.

To check if a system has already been hit, look for lines like:

grep \"BTRFS.*Transaction aborted.*EEXIST\" /var/log/syslog

A report of such an error warrants immediate action: back up critical data and prepare for offline btrfs check.

Patching and Kernel Updates

The Linux kernel maintainers have merged a patch that fixes the pending overlap check in the chunk allocator. The commit (accessible via kernel.org) reworks the search logic to guarantee that DUP chunk allocations never collide with pending extents, regardless of their contiguity. The fix is backported to stable kernel series: 5.15.y, 6.1.y, 6.6.y, and 6.12.y.

Users should update to the latest kernel package from their distribution:

  • Debian/Ubuntu: sudo apt update && sudo apt upgrade
  • Fedora: sudo dnf update kernel*
  • Arch: sudo pacman -Syu
  • openSUSE: sudo zypper up

For systems that cannot be immediately rebooted, live kernel patching services (e.g., Canonical Livepatch, KernelCare) may provide a fix without downtime.

After updating, verify the patch is active by checking the kernel version:

uname -r

Then ensure Btrfs scrub and balance operations are healthy:

btrfs scrub start /mountpoint
btrfs balance start --full-balance /mountpoint

The Road Ahead for Btrfs Stability

CVE-2026-45934 is a reminder that even mature file systems carry subtle bugs that can strike when least expected. While Btrfs has made enormous strides in stability over the years, incidents like this underscore the importance of rigorous code review for space allocation routines—code that operates at the very heart of data integrity.

The open-source community’s swift response—from vulnerability disclosure to patching—demonstrates the strength of collaborative security. Users can contribute by testing release candidates and reporting anomalies early.

For Windows enthusiasts eyeing Linux technologies, this CVE also highlights the complexity awaiting Microsoft’s own Btrfs integration. Windows 11’s Windows Subsystem for Linux (WSL) supports Btrfs inside virtual disks, and third-party drivers like WinBtrfs enable native mounts. As Btrfs adoption grows beyond traditional Linux servers, cross-platform awareness of its quirks becomes vital.

Final Analysis and Recommendations

CVE-2026-45934 is not yet widely exploited in the wild, but the potential for local denial-of-service and data integrity loss warrants immediate patching. The medium severity rating may understate the practical impact for organizations that rely on Btrfs for production storage.

Key takeaways:
- Update your Linux kernel now if you use Btrfs with DUP metadata.
- Avoid heavy metadata operations until patched; consider a temporary profile switch if risk is high.
- Always have verified backups—Btrfs snapshots are not a substitute for off-media backups.
- Monitor kernel logs for transaction aborts.

As with any storage-level vulnerability, the best defense is proactive maintenance. Stay informed through distribution security channels, and don’t let a silent allocator bug catch you off guard.