CVE-2026-46164
Published: May 28, 2026
Modified: May 30, 2026
CVSS v3.1
7.0
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 0bd151ce4200ca847990e05cca29a76456982ca5 - < d2a675f2e238ec96c8e91e2718c1f910c9c8fb21affected 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb - < 14b22be1dd844383eb03af9b1ee3b6b25d32aeafaffected f92ee31e031c7819126d2febdda0c3e91f5d2eb9 - < dfd05a16b5c9d1d98b47905f37f2fccda52173d1affected f92ee31e031c7819126d2febdda0c3e91f5d2eb9 - < 259af6857a1b4f1e9ef8b780353f9d11c26a22bdaffected f92ee31e031c7819126d2febdda0c3e91f5d2eb9 - < a7449edf96143f192606ec8647e3167e1ecbd728+4 more versions |
Linux | Linux | affected 6.16unaffected 0 - < 6.16unaffected 6.6.141 - <= 6.6.*unaffected 6.12.90 - <= 6.12.*unaffected 6.18.32 - <= 6.18.*+2 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now