CVE-2026-46129
HIGHbtrfs: fix double free in create_space_info() error path
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
References (6)
Core 6
Core References
Scores
CVSS v3
7.8
EPSS
0.0014
EPSS Percentile
3.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-415
Status
published
Products (28)
linux/Kernel
< 6.1.175linux
linux/Kernel
6.13.0 - 6.18.30linux
linux/Kernel
6.19.0 - 7.0.7linux
linux/Kernel
6.2.0 - 6.6.140linux
linux/Kernel
6.7.0 - 6.12.88linux
Linux/Linux
< 6.19
Linux/Linux
20e8f2de3688082eeafeb93c8900485b7542457e
Linux/Linux
20e8f2de3688082eeafeb93c8900485b7542457e - ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5
Linux/Linux
58208907c4044a764dbd8896026283905da6d9be - c2670ec4aa49ca226bce9776601e0da37502be07
Linux/Linux
6.1.162 - 6.1.175
... and 18 more
Published
May 28, 2026
Tracked Since
May 28, 2026