CVE-2026-46129

HIGH

btrfs: fix double free in create_space_info() error path

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

Scores

CVSS v3 7.8
EPSS 0.0014
EPSS Percentile 3.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-415
Status published
Products (28)
linux/Kernel < 6.1.175linux
linux/Kernel 6.13.0 - 6.18.30linux
linux/Kernel 6.19.0 - 7.0.7linux
linux/Kernel 6.2.0 - 6.6.140linux
linux/Kernel 6.7.0 - 6.12.88linux
Linux/Linux < 6.19
Linux/Linux 20e8f2de3688082eeafeb93c8900485b7542457e
Linux/Linux 20e8f2de3688082eeafeb93c8900485b7542457e - ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5
Linux/Linux 58208907c4044a764dbd8896026283905da6d9be - c2670ec4aa49ca226bce9776601e0da37502be07
Linux/Linux 6.1.162 - 6.1.175
... and 18 more
Published May 28, 2026
Tracked Since May 28, 2026