Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak

btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the allocation size, then the second pass fills the buffer. The
groups_sem rwlock is released between passes, allowing concurrent block
group removal to reduce the entry count.

When the second pass fills fewer entries than the first pass counted,
copy_to_user() copies the full alloc_size bytes including trailing
uninitialized kmalloc bytes to userspace.

Fix by copying only total_spaces entries (the actually-filled count from
the second pass) instead of alloc_size bytes, and switch to kzalloc so
any future copy size mismatch cannot leak heap data.
Published: 2026-05-28
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A time‑of‑check to time‑of‑use race exists in the function btrfs_ioctl_space_info. The routine first counts entries to size a buffer, then releases a rwlock, allowing concurrent block group removal to reduce that count. A second pass fills fewer entries than were counted and the kernel copies the full alloc_size bytes, including uninitialized kmalloc data, to user space. The description does not state the privilege level required to trigger the ioctl, but it is inferred that a local user with access to the Btrfs filesystem and its ioctl interface could potentially trigger the race, leading to an information leak. The weakness is owed to a race condition that leads to an information leak.

Affected Systems

The vulnerability affects the Btrfs implementation in the Linux kernel on all distributions that ship the kernel and enable the Btrfs module. No specific kernel version is enumerated, but the fix is present in newer patches. The vendor affected is Linux:Linux.

Risk and Exploitability

Exploitation of the race may be possible when an ioctl space_info command is invoked against a btrfs file system. The description does not specify the privilege level required; it is inferred that a local user with access to the relevant ioctl could trigger the race, but the flaw may also be exploitable by processes with higher permissions. The race requires a concurrent block group removal between the two passes, which could occur during normal filesystem activity. The CVSS score of 4.7 and an EPSS score of <1% indicate moderate severity with low likelihood of exploitation. The issue is not listed in the CISA KEV catalog, so it is not a widely observed exploit.

Generated by OpenCVE AI on June 9, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the btrfs_ioctl_space_info race fix, the Btrfs module uses the corrected copy logic and kzalloc allocation.
  • If an immediate kernel upgrade is not feasible, limit or deny the Btrfs ioctl that triggers space_info by restricting file descriptor access to privileged users or by disabling the Btrfs filesystem on hosts that do not require it.
  • Deploy kernel lockdown or enable SELinux/AppArmor policies that prevent unprivileged users from obtaining direct Btrfs ioctl access, reducing the window for the race condition to be triggered.

Generated by OpenCVE AI on June 9, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-635

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-635

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.
Title btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:58.225Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46159

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:31.553

Modified: 2026-06-09T21:06:24.467

Link: CVE-2026-46159

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46159 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:45:15Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition