CVE-2026-46159
Heap Info-Leak in Linux Kernel Btrfs
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's btrfs filesystem, specifically in the btrfs_ioctl_space_info() function. It involves a Time-Of-Check to Time-Of-Use (TOCTOU) race condition between two passes over block group RAID type lists. The first pass counts the number of entries to allocate memory, and the second pass fills a buffer with those entries. However, the lock protecting the data is released between these passes, allowing concurrent removal of block groups which can reduce the number of entries.
Because of this race, the second pass may fill fewer entries than the first pass counted. When data is copied to userspace, the function copies the originally allocated size, which includes uninitialized memory from the kernel heap. This can lead to leaking sensitive kernel memory contents to userspace.
The fix involves copying only the actual number of entries filled during the second pass and using zero-initialized memory allocation to prevent leaking uninitialized data.
How can this vulnerability impact me? :
This vulnerability can lead to an information leak where uninitialized kernel heap memory is exposed to userspace applications. An attacker with access to the vulnerable btrfs ioctl interface could potentially read sensitive kernel memory contents, which might include sensitive data or pointers that could aid further attacks.