Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info_sub_group() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info_sub_group()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&sub_group->kobj)
-> space_info_release()
-> kfree(sub_group)

Then control returns to create_space_info_sub_group(), where:

btrfs_sysfs_add_space_info_type() returns error
-> kfree(sub_group)

Thus, sub_group is freed twice.

Keep parent->sub_group[index] = NULL for the failure path, but after
btrfs_sysfs_add_space_info_type() has called kobject_put(), let the
kobject release callback handle the cleanup.
Published: 2026-05-28
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises when the Btrfs file system attempts to create a space information subgroup and the initialization of the associated kernel object fails. In this error path the subgroup structure is freed twice: first by the caller and again by the release callback. This double free causes kernel memory corruption, which can result in a kernel crash or, in the worst case, uncontrolled memory modification. The vulnerability is identified as CWE‑1341 and CWE‑415, demonstrating improper handling of resources during error cleanup. The CVE description contains no evidence of privilege escalation or remote exploitation.

Affected Systems

The issue exists in all Linux kernel releases that do not yet include the patch commits referenced in the advisory (e.g., 14b22be1dd844383eb03af9b1ee3b6b25d32af ...). Distributions shipping those kernel versions remain vulnerable until they update to a kernel that incorporates the fix.

Risk and Exploitability

The CVSS score of 7.0 classifies the flaw as high‑severity, indicating a significant risk to kernel stability. However, the EPSS score of <1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, so no active exploits are known. The CVE description does not provide evidence that this double free can be triggered remotely or result in exploitation. Consequently, the risk remains limited to a high‑severity kernel memory corruption scenario, potentially leading to a kernel crash, but with a low probability of exploitation.

Generated by OpenCVE AI on June 10, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the updated kernel package from your distribution that contains the Btrfs double‑free patch
  • If building from source, cherry‑pick the commit(s) that fix the double free (e.g., 14b22be1dd844383eb03af9b1ee3b6b25d32af) into your kernel tree, rebuild, and reboot
  • Configure kernel logs or system monitoring to alert on Btrfs panic or crash messages and restrict unprivileged users from performing sysfs operations that could trigger btrfs_sysfs_add_space_info_type

Generated by OpenCVE AI on June 10, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
Title btrfs: fix double free in create_space_info_sub_group() error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:59:24.631Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46164

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:32.043

Modified: 2026-06-10T21:14:05.953

Link: CVE-2026-46164

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46164 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses
  • CWE-1341

    Multiple Releases of Same Resource or Handle

  • CWE-415

    Double Free