CVE-2026-46159
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
19/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak<br />
<br />
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the<br />
block group RAID type lists. The first pass counts entries to determine<br />
the allocation size, then the second pass fills the buffer. The<br />
groups_sem rwlock is released between passes, allowing concurrent block<br />
group removal to reduce the entry count.<br />
<br />
When the second pass fills fewer entries than the first pass counted,<br />
copy_to_user() copies the full alloc_size bytes including trailing<br />
uninitialized kmalloc bytes to userspace.<br />
<br />
Fix by copying only total_spaces entries (the actually-filled count from<br />
the second pass) instead of alloc_size bytes, and switch to kzalloc so<br />
any future copy size mismatch cannot leak heap data.
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.34.1 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.90 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.32 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3
- https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088
- https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77
- https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641
- https://git.kernel.org/stable/c/d69a4a6813fdba7c4cc3695a7e843842b240790d
- https://git.kernel.org/stable/c/d8224b1be6627c6c3b204bfb264508d27c65ac44
- https://git.kernel.org/stable/c/f407aad350bdea4db300c47433573b7a41630d33
- https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a



