CVE-2026-46164
Analyzed Analyzed - Analysis Complete
Double Free in Linux Kernel Btrfs Subgroup

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46164
EUVD
EUVD-2026-32791
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.1.162 (inc) to 6.2 (exc)
linux linux_kernel From 6.12.67 (inc) to 6.12.90 (exc)
linux linux_kernel From 6.16 (inc) to 6.18.32 (exc)
linux linux_kernel From 6.6.122 (inc) to 6.6.141 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability involves a double free in the btrfs subsystem of the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue has been fixed.

Specifically, apply the patch that fixes the double free in create_space_info_sub_group() error path, which ensures proper cleanup by letting the kobject release callback handle the cleanup instead of freeing the sub_group twice.

Until the kernel is updated, avoid using affected btrfs features that might trigger this code path if possible.

Executive Summary

This vulnerability is a double free error in the Linux kernel's btrfs filesystem code, specifically in the function create_space_info_sub_group().

When the function kobject_init_and_add() fails during the creation of a sub_group, the sub_group object is freed twice due to two separate calls to free it: once via kobject_put() and its release callback, and once again directly in create_space_info_sub_group().

This double free occurs because after kobject_put() is called, the cleanup should be handled by the kobject release callback, but the code also calls kfree(sub_group) again, leading to the double free.

Impact Analysis

A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges.

In the context of the Linux kernel, this could compromise system stability and security, potentially allowing attackers to cause denial of service or gain unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46164. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart