Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)

Then control returns to create_space_info():

btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)

This causes a double free.

Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A double free bug exists in the Linux kernel’s btrfs filesystem when the create_space_info() function fails to allocate a kobject. The bug allows the same memory block to be freed twice, which can corrupt kernel memory and may lead to a system crash. This weakness is a classic improper deallocation flaw (CWE-415).

Affected Systems

The flaw affects Linux kernel binaries that include the Btrfs filesystem and whose version does not contain the upstream commit that fixes the double free. Any kernel build using the unpatched btrfs module prior to the specified commit is potentially vulnerable. No specific version range is provided in the advisory, so all affected kernels must be examined against the fix commit history to determine coverage.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog, and no EPSS information is available. No publicly documented exploits are known. The double free occurs during the btrfs error path, but the CVE description does not provide details on a specific attack scenario.

Generated by OpenCVE AI on May 28, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the btrfs double‑free fix commit
  • If an immediate kernel upgrade is not possible, apply the patch from the provided git references to the btrfs source and rebuild the kernel
  • If the Btrfs filesystem is not required, consider disabling it to reduce exposure

Generated by OpenCVE AI on May 28, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
Title btrfs: fix double free in create_space_info() error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:44.271Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46129

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.473

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:15:20Z

Weaknesses