Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix leak of kobject name for sub-group space_info

When create_space_info_sub_group() allocates elements of
space_info->sub_group[], kobject_init_and_add() is called for each
element via btrfs_sysfs_add_space_info_type(). However, when
check_removing_space_info() frees these elements, it does not call
btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is
not called and the associated kobj->name objects are leaked.

This memory leak is reproduced by running the blktests test case
zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak
feature reports the following error:

unreferenced object 0xffff888112877d40 (size 16):
comm "mount", pid 1244, jiffies 4294996972
hex dump (first 16 bytes):
64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......
backtrace (crc 53ffde4d):
__kmalloc_node_track_caller_noprof+0x619/0x870
kstrdup+0x42/0xc0
kobject_set_name_vargs+0x44/0x110
kobject_init_and_add+0xcf/0x150
btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]
create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]
create_space_info+0x211/0x320 [btrfs]
btrfs_init_space_info+0x15a/0x1b0 [btrfs]
open_ctree+0x33c7/0x4a50 [btrfs]
btrfs_get_tree.cold+0x9f/0x1ee [btrfs]
vfs_get_tree+0x87/0x2f0
vfs_cmd_create+0xbd/0x280
__do_sys_fsconfig+0x3df/0x990
do_syscall_64+0x136/0x1540
entry_SYSCALL_64_after_hwframe+0x76/0x7e

To avoid the leak, call btrfs_sysfs_remove_space_info() instead of
kfree() for the elements.
Published: 2026-04-22
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak Leading to Potential Denial of Service
Action: Patch Kernel
AI Analysis

Impact

The vulnerability arises in the Linux kernel’s Btrfs filesystem when creating space_info sub‑groups. The code fails to remove the kobject name entries on deallocation, which leaks name strings. This is a CWE‑911 weakness involving inadequate deallocation of name objects. The leak is manifested as orphaned memory that can accumulate over time and potentially exhaust kernel memory.

Affected Systems

All Linux kernel deployments that include the Btrfs filesystem and expose the space_info structure are affected, regardless of distribution. The leak can manifest in any kernel version prior to the patch commit referenced in the advisory. Systems built with the CONFIG_DEBUG_KMEMLEAK option are especially useful for detecting the leak, but dynamic memory pressure can occur in normal operation as well.

Risk and Exploitability

The advisory does not provide a CVSS score. The EPSS score is < 1%, indicating a very low chance of active exploitation. The vulnerability is not in CISA’s KEV catalog. The leak can accumulate as many space_info objects are created, which may occur during normal Btrfs operation or specific workloads that heavily use the space_info structure. No public exploitation has been documented, but the potential for memory exhaustion remains.

Generated by OpenCVE AI on April 29, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the patch removing the missing btrfs_sysfs_remove_space_info() call (commits 1737ddeafbb1304f41ec2eede4f7366082e7c96a and related updates).
  • If upgrading immediately is not possible, disable the Btrfs filesystem or unmount it when it is not required to reduce memory usage from the space_info entries.
  • Monitor kernel memory usage and consider enforcing stricter limits or using low‑memory killer settings to mitigate the effects of a potential leak.

Generated by OpenCVE AI on April 29, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Tue, 28 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix leak of kobject name for sub-group space_info When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked. This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error: unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.
Title btrfs: fix leak of kobject name for sub-group space_info
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:38.104Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31434

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:36.533

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31434

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31434 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses