CVE-2026-46159

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
19/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak<br /> <br /> btrfs_ioctl_space_info() has a TOCTOU race between two passes over the<br /> block group RAID type lists. The first pass counts entries to determine<br /> the allocation size, then the second pass fills the buffer. The<br /> groups_sem rwlock is released between passes, allowing concurrent block<br /> group removal to reduce the entry count.<br /> <br /> When the second pass fills fewer entries than the first pass counted,<br /> copy_to_user() copies the full alloc_size bytes including trailing<br /> uninitialized kmalloc bytes to userspace.<br /> <br /> Fix by copying only total_spaces entries (the actually-filled count from<br /> the second pass) instead of alloc_size bytes, and switch to kzalloc so<br /> any future copy size mismatch cannot leak heap data.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.34.1 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.90 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.32 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.7 (excluding)
cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*