CVE-2026-46129

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)

Then control returns to create_space_info():

btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)

This causes a double free.

Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux20e8f2de3688082eeafeb93c8900485b7542457e < ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5affected
LinuxLinux58208907c4044a764dbd8896026283905da6d9be < c2670ec4aa49ca226bce9776601e0da37502be07affected
LinuxLinuxbb4fa4c0b54aae25e55faeda7f78d0c11b8cd618 < f414b3abbba59ef379a2b3c31f2bdd9358ed5e53affected
LinuxLinux6cb008f1bb23e023dfe615cca5df14570dfc8da5 < 9a060970fd7b5e1c561e4ce73cb9949e4269a738affected
LinuxLinuxa11224a016d6d1d46a4d9b6573244448a80d4d7f < dd6ade0fdd59218d71a981ae7c937a304e49209caffected
LinuxLinuxa11224a016d6d1d46a4d9b6573244448a80d4d7f < 3f487be81292702a59ea9dbc4088b3360a50e837affected
LinuxLinux6.1.162 < 6.1.175affected
LinuxLinux6.6.122 < 6.6.140affected
LinuxLinux6.12.67 < 6.12.88affected
LinuxLinux6.18.7 < 6.18.30affected
LinuxLinux6.19affected
LinuxLinux0 < 6.19unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References