CVE-2026-46159
Analyzed Analyzed - Analysis Complete
Heap Info-Leak in Linux Kernel Btrfs

Publication date: 2026-05-28

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-09
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46159
EUVD
EUVD-2026-32786
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.34
linux linux_kernel 2.6.34
linux linux_kernel 2.6.34
linux linux_kernel 2.6.34
linux linux_kernel 2.6.34
linux linux_kernel 2.6.34
linux linux_kernel 2.6.34
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 2.6.34.1 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.32 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.90 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved in the Linux kernel by fixing the btrfs_ioctl_space_info() function to prevent the TOCTOU race condition that leads to information leakage.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

Executive Summary

This vulnerability exists in the Linux kernel's btrfs filesystem, specifically in the btrfs_ioctl_space_info() function. It involves a Time-Of-Check to Time-Of-Use (TOCTOU) race condition between two passes over block group RAID type lists. The first pass counts the number of entries to allocate memory, and the second pass fills a buffer with those entries. However, the lock protecting the data is released between these passes, allowing concurrent removal of block groups which can reduce the number of entries.

Because of this race, the second pass may fill fewer entries than the first pass counted. When data is copied to userspace, the function copies the originally allocated size, which includes uninitialized memory from the kernel heap. This can lead to leaking sensitive kernel memory contents to userspace.

The fix involves copying only the actual number of entries filled during the second pass and using zero-initialized memory allocation to prevent leaking uninitialized data.

Impact Analysis

This vulnerability can lead to an information leak where uninitialized kernel heap memory is exposed to userspace applications. An attacker with access to the vulnerable btrfs ioctl interface could potentially read sensitive kernel memory contents, which might include sensitive data or pointers that could aid further attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart