CVE-2024-26644: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume If the source file descriptor to the snapshot ioctl refers to a deleted subvolume, we get the following abort: BTRFS: Transaction aborted (error -2) WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs] RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998 R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 Call Trace: <TASK> ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? __warn+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? report_bug+0x171/0x1a0 ? handle_bug+0x3a/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? create_pending_snapshot+0x1040/0x1190 [btrfs] create_pending_snapshots+0x92/0xc0 [btrfs] btrfs_commit_transaction+0x66b/0xf40 [btrfs] btrfs_mksubvol+0x301/0x4d0 [btrfs] btrfs_mksnapshot+0x80/0xb0 [btrfs] __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs] btrfs_ioctl+0x8a6/0x2650 [btrfs] ? kmem_cache_free+0x22/0x340 ? do_sys_openat2+0x97/0xe0 __x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 </TASK> ---[ end trace 0000000000000000 ]--- BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry BTRFS info (device vdc: state EA): forced readonly BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction. BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry This happens because create_pending_snapshot() initializes the new root item as a copy of the source root item. This includes the refs field, which is 0 for a deleted subvolume. The call to btrfs_insert_root() therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then finds the root and returns -ENOENT if refs == 0, which causes create_pending_snapshot() to abort. Fix it by checking the source root's refs before attempting the snapshot, but after locking subvol_sem to avoid racing with deletion.
AI Analysis
Technical Summary
CVE-2024-26644 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The flaw occurs when attempting to create a snapshot of a deleted subvolume. Specifically, the function create_pending_snapshot() initializes a new root item by copying the source root item, including the 'refs' field. For deleted subvolumes, this 'refs' field is zero. When btrfs_insert_root() inserts a root with refs == 0, subsequent calls to btrfs_get_new_fs_root() detect this and return an error (-ENOENT), causing create_pending_snapshot() to abort the transaction. This abort leads to the filesystem entering a forced readonly state and skipping the commit of the aborted transaction, effectively disrupting normal filesystem operations. The root cause is a lack of validation of the source root's refs count before snapshot creation, which can be exploited by referencing a deleted subvolume. The fix involves adding a check on the source root's refs after acquiring the subvol_sem lock to prevent race conditions with deletion. This vulnerability does not appear to be exploited in the wild yet and affects Linux kernel versions including the commit identified by hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. The issue manifests as a denial of service (DoS) condition by aborting filesystem transactions and forcing the Btrfs filesystem into a readonly state, potentially impacting system stability and availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems utilizing the Btrfs filesystem on Linux kernels affected by this flaw. Btrfs is increasingly used in enterprise and cloud environments due to its advanced features like snapshots and volume management. The vulnerability can cause denial of service by aborting filesystem transactions and forcing the filesystem into a readonly state, which can disrupt critical applications, data processing, and services relying on Btrfs volumes. Organizations running virtualized environments or container platforms on Linux with Btrfs-backed storage could experience service interruptions. Additionally, since the issue arises from snapshot operations, backup and recovery workflows that rely on Btrfs snapshots may be impacted, potentially delaying disaster recovery or data protection processes. Although exploitation requires invoking snapshot ioctl calls referencing deleted subvolumes, which implies local access or privileged operations, the impact on availability and operational continuity can be significant. This could affect sectors with high reliance on Linux infrastructure such as finance, telecommunications, research institutions, and government agencies across Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the fix that validates the refs field before snapshot creation is applied. System administrators should audit their use of Btrfs snapshots, especially in automated scripts or backup systems, to avoid referencing deleted subvolumes. Implementing strict access controls and limiting privileged user operations that can invoke snapshot ioctl calls will reduce the risk of accidental or malicious triggering of this vulnerability. Monitoring kernel logs for Btrfs-related errors or warnings can help detect attempts to exploit this issue. For environments where immediate patching is not feasible, temporarily disabling snapshot creation on Btrfs volumes or restricting it to trusted users can mitigate risk. Additionally, maintaining regular backups outside of Btrfs snapshots ensures data availability if the filesystem enters readonly mode. Organizations should also engage with their Linux distribution vendors to receive timely updates and security advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2024-26644: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume If the source file descriptor to the snapshot ioctl refers to a deleted subvolume, we get the following abort: BTRFS: Transaction aborted (error -2) WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs] RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998 R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 Call Trace: <TASK> ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? __warn+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? report_bug+0x171/0x1a0 ? handle_bug+0x3a/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? create_pending_snapshot+0x1040/0x1190 [btrfs] create_pending_snapshots+0x92/0xc0 [btrfs] btrfs_commit_transaction+0x66b/0xf40 [btrfs] btrfs_mksubvol+0x301/0x4d0 [btrfs] btrfs_mksnapshot+0x80/0xb0 [btrfs] __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs] btrfs_ioctl+0x8a6/0x2650 [btrfs] ? kmem_cache_free+0x22/0x340 ? do_sys_openat2+0x97/0xe0 __x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 </TASK> ---[ end trace 0000000000000000 ]--- BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry BTRFS info (device vdc: state EA): forced readonly BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction. BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry This happens because create_pending_snapshot() initializes the new root item as a copy of the source root item. This includes the refs field, which is 0 for a deleted subvolume. The call to btrfs_insert_root() therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then finds the root and returns -ENOENT if refs == 0, which causes create_pending_snapshot() to abort. Fix it by checking the source root's refs before attempting the snapshot, but after locking subvol_sem to avoid racing with deletion.
AI-Powered Analysis
Technical Analysis
CVE-2024-26644 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The flaw occurs when attempting to create a snapshot of a deleted subvolume. Specifically, the function create_pending_snapshot() initializes a new root item by copying the source root item, including the 'refs' field. For deleted subvolumes, this 'refs' field is zero. When btrfs_insert_root() inserts a root with refs == 0, subsequent calls to btrfs_get_new_fs_root() detect this and return an error (-ENOENT), causing create_pending_snapshot() to abort the transaction. This abort leads to the filesystem entering a forced readonly state and skipping the commit of the aborted transaction, effectively disrupting normal filesystem operations. The root cause is a lack of validation of the source root's refs count before snapshot creation, which can be exploited by referencing a deleted subvolume. The fix involves adding a check on the source root's refs after acquiring the subvol_sem lock to prevent race conditions with deletion. This vulnerability does not appear to be exploited in the wild yet and affects Linux kernel versions including the commit identified by hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. The issue manifests as a denial of service (DoS) condition by aborting filesystem transactions and forcing the Btrfs filesystem into a readonly state, potentially impacting system stability and availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems utilizing the Btrfs filesystem on Linux kernels affected by this flaw. Btrfs is increasingly used in enterprise and cloud environments due to its advanced features like snapshots and volume management. The vulnerability can cause denial of service by aborting filesystem transactions and forcing the filesystem into a readonly state, which can disrupt critical applications, data processing, and services relying on Btrfs volumes. Organizations running virtualized environments or container platforms on Linux with Btrfs-backed storage could experience service interruptions. Additionally, since the issue arises from snapshot operations, backup and recovery workflows that rely on Btrfs snapshots may be impacted, potentially delaying disaster recovery or data protection processes. Although exploitation requires invoking snapshot ioctl calls referencing deleted subvolumes, which implies local access or privileged operations, the impact on availability and operational continuity can be significant. This could affect sectors with high reliance on Linux infrastructure such as finance, telecommunications, research institutions, and government agencies across Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the fix that validates the refs field before snapshot creation is applied. System administrators should audit their use of Btrfs snapshots, especially in automated scripts or backup systems, to avoid referencing deleted subvolumes. Implementing strict access controls and limiting privileged user operations that can invoke snapshot ioctl calls will reduce the risk of accidental or malicious triggering of this vulnerability. Monitoring kernel logs for Btrfs-related errors or warnings can help detect attempts to exploit this issue. For environments where immediate patching is not feasible, temporarily disabling snapshot creation on Btrfs volumes or restricting it to trusted users can mitigate risk. Additionally, maintaining regular backups outside of Btrfs snapshots ensures data availability if the filesystem enters readonly mode. Organizations should also engage with their Linux distribution vendors to receive timely updates and security advisories related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.138Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe4268
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:39:57 PM
Last updated: 8/17/2025, 11:28:36 AM
Views: 17
Related Threats
CVE-2025-55581: n/a
UnknownCVE-2025-52085: n/a
UnknownCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighCVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.