btrfs: fix double free in create_space_info_sub_group() error path_CVE-2026-46164

7 / 10

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info_sub_group() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info_sub_group()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&sub_group->kobj)
-> space_info_release()
-> kfree(sub_group)

Then control returns to create_space_info_sub_group(), where:

btrfs_sysfs_add_space_info_type() returns error
-> kfree(sub_group)

Thus, sub_group is freed twice.

Keep parent->sub_group[index] = NULL for the failure path, but after
btrfs_sysfs_add_space_info_type() has called kobject_put(), let the
kobject release callback handle the cleanup.

Basic Information

ID CVE-2026-46164

Source Linux

Published May 28, 2026 at 09:36

Modified May 30, 2026 at 10:48

Affected Product

Vendor Linux

Product Linux

Version 0bd151ce4200ca847990e05cca29a76456982ca5

Affected Versions Linux Linux 0bd151ce4200ca847990e05cca29a76456982ca5
Linux Linux 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb
Linux Linux f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Linux Linux f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Linux Linux f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Linux Linux 64c7ddda83acfbaa0efb381a1928ce908c584607
Linux Linux 6.6.122
Linux Linux 6.12.67
Linux Linux 6.1.162
Linux Linux 6.16

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info_sub_group() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info_sub_group()\n-> btrfs_sysfs_add_space_info_type()\n-> kobject_init_and_add()\n-> failure\n-> kobject_put(&sub_group->kobj)\n-> space_info_release()\n-> kfree(sub_group)\n\nThen control returns to create_space_info_sub_group(), where:\n\nbtrfs_sysfs_add_space_info_type() returns error\n-> kfree(sub_group)\n\nThus, sub_group is freed twice.\n\nKeep parent->sub_group[index] = NULL for the failure path, but after\nbtrfs_sysfs_add_space_info_type() has called kobject_put(), let the\nkobject release callback handle the cleanup.",
    "published": "2026-05-28T09:36:19.810Z",
    "modified": "2026-05-30T10:48:32.353Z",
    "type": "cve",
    "title": "btrfs: fix double free in create_space_info_sub_group() error path",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21\nhttps://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf\nhttps://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1\nhttps://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd\nhttps://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728",
    "id": "CVE-2026-46164",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 0bd151ce4200ca847990e05cca29a76456982ca5\nLinux Linux 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb\nLinux Linux f92ee31e031c7819126d2febdda0c3e91f5d2eb9\nLinux Linux f92ee31e031c7819126d2febdda0c3e91f5d2eb9\nLinux Linux f92ee31e031c7819126d2febdda0c3e91f5d2eb9\nLinux Linux 64c7ddda83acfbaa0efb381a1928ce908c584607\nLinux Linux 6.6.122\nLinux Linux 6.12.67\nLinux Linux 6.1.162\nLinux Linux 6.16",
    "sourceHref": "",
    "cvss": {
        "score": 7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "0bd151ce4200ca847990e05cca29a76456982ca5",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply