CVE-2026-46129

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
28/05/2026
Last modified:
24/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix double free in create_space_info() error path<br /> <br /> When kobject_init_and_add() fails, the call chain is:<br /> <br /> create_space_info()<br /> -&gt; btrfs_sysfs_add_space_info_type()<br /> -&gt; kobject_init_and_add()<br /> -&gt; failure<br /> -&gt; kobject_put(&amp;space_info-&gt;kobj)<br /> -&gt; space_info_release()<br /> -&gt; kfree(space_info)<br /> <br /> Then control returns to create_space_info():<br /> <br /> btrfs_sysfs_add_space_info_type() returns error<br /> -&gt; goto out_free<br /> -&gt; kfree(space_info)<br /> <br /> This causes a double free.<br /> <br /> Keep the direct kfree(space_info) for the earlier failure path, but<br /> after btrfs_sysfs_add_space_info_type() has called kobject_put(), let<br /> the kobject release callback handle the cleanup.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.162 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.122 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12.67 (including) 6.12.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.18.7 (including) 6.18.30 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19.1 (including) 7.0.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*