CVE-2026-43308 is a Linux kernel vulnerability in the btrfs filesystem driver, where an unexpected delayed reference type could trigger a kernel panic (BUG()). The fix prevents the kernel from crashing in this scenario by handling the unexpected condition gracefully. Although published via Microsoft’s security advisory channel for Azure, the underlying issue affects any Linux system using the btrfs filesystem, including Azure Linux-based virtual machines.

Security Architect’s Take: Review whether your Azure Linux VMs or AKS nodes are running kernels with btrfs as an active filesystem; if so, prioritise patching the host or guest kernel to the version that includes this fix. Monitor for Microsoft-released kernel updates for Azure-optimised Linux images and ensure your update pipelines apply them promptly.

Original advisory: CVE-2026-43308 btrfs: don’t BUG() on unexpected delayed ref type in run_one_delayed_ref()