btrfs: fix double free in create_space_info() error path_CVE-2026-46129

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)

Then control returns to create_space_info():

btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)

This causes a double free.

Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.

Basic Information

ID CVE-2026-46129

Source Linux

Published May 28, 2026 at 09:35

Modified May 30, 2026 at 10:48

Affected Product

Vendor Linux

Product Linux

Version 58208907c4044a764dbd8896026283905da6d9be

Affected Versions Linux Linux 58208907c4044a764dbd8896026283905da6d9be
Linux Linux bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618
Linux Linux 6cb008f1bb23e023dfe615cca5df14570dfc8da5
Linux Linux a11224a016d6d1d46a4d9b6573244448a80d4d7f
Linux Linux a11224a016d6d1d46a4d9b6573244448a80d4d7f
Linux Linux 20e8f2de3688082eeafeb93c8900485b7542457e
Linux Linux 6.6.122
Linux Linux 6.12.67
Linux Linux 6.18.7
Linux Linux 6.1.162
Linux Linux 6.19

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info()\n-> btrfs_sysfs_add_space_info_type()\n-> kobject_init_and_add()\n-> failure\n-> kobject_put(&space_info->kobj)\n-> space_info_release()\n-> kfree(space_info)\n\nThen control returns to create_space_info():\n\nbtrfs_sysfs_add_space_info_type() returns error\n-> goto out_free\n-> kfree(space_info)\n\nThis causes a double free.\n\nKeep the direct kfree(space_info) for the earlier failure path, but\nafter btrfs_sysfs_add_space_info_type() has called kobject_put(), let\nthe kobject release callback handle the cleanup.",
    "published": "2026-05-28T09:35:44.271Z",
    "modified": "2026-05-30T10:48:07.941Z",
    "type": "cve",
    "title": "btrfs: fix double free in create_space_info() error path",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07\nhttps://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53\nhttps://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738\nhttps://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c\nhttps://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837",
    "id": "CVE-2026-46129",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 58208907c4044a764dbd8896026283905da6d9be\nLinux Linux bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618\nLinux Linux 6cb008f1bb23e023dfe615cca5df14570dfc8da5\nLinux Linux a11224a016d6d1d46a4d9b6573244448a80d4d7f\nLinux Linux a11224a016d6d1d46a4d9b6573244448a80d4d7f\nLinux Linux 20e8f2de3688082eeafeb93c8900485b7542457e\nLinux Linux 6.6.122\nLinux Linux 6.12.67\nLinux Linux 6.18.7\nLinux Linux 6.1.162\nLinux Linux 6.19",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "58208907c4044a764dbd8896026283905da6d9be",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply