CVE-2026-46164
Received Received - Intake
Double Free in Linux Kernel Btrfs Subgroup

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46164
EUVD
EUVD-2026-32791
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a double free error in the Linux kernel's btrfs filesystem code, specifically in the function create_space_info_sub_group().

When the function kobject_init_and_add() fails during the creation of a sub_group, the sub_group object is freed twice due to two separate calls to free it: once via kobject_put() and its release callback, and once again directly in create_space_info_sub_group().

This double free occurs because after kobject_put() is called, the cleanup should be handled by the kobject release callback, but the code also calls kfree(sub_group) again, leading to the double free.


How can this vulnerability impact me? :

A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges.

In the context of the Linux kernel, this could compromise system stability and security, potentially allowing attackers to cause denial of service or gain unauthorized access.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability involves a double free in the btrfs subsystem of the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue has been fixed.

Specifically, apply the patch that fixes the double free in create_space_info_sub_group() error path, which ensures proper cleanup by letting the kobject release callback handle the cleanup instead of freeing the sub_group twice.

Until the kernel is updated, avoid using affected btrfs features that might trigger this code path if possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart