CVE-2026-46159
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/05/2026
Última modificación:
19/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak<br />
<br />
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the<br />
block group RAID type lists. The first pass counts entries to determine<br />
the allocation size, then the second pass fills the buffer. The<br />
groups_sem rwlock is released between passes, allowing concurrent block<br />
group removal to reduce the entry count.<br />
<br />
When the second pass fills fewer entries than the first pass counted,<br />
copy_to_user() copies the full alloc_size bytes including trailing<br />
uninitialized kmalloc bytes to userspace.<br />
<br />
Fix by copying only total_spaces entries (the actually-filled count from<br />
the second pass) instead of alloc_size bytes, and switch to kzalloc so<br />
any future copy size mismatch cannot leak heap data.
Impacto
Puntuación base 3.x
4.70
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.34.1 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.90 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.32 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3
- https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088
- https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77
- https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641
- https://git.kernel.org/stable/c/d69a4a6813fdba7c4cc3695a7e843842b240790d
- https://git.kernel.org/stable/c/d8224b1be6627c6c3b204bfb264508d27c65ac44
- https://git.kernel.org/stable/c/f407aad350bdea4db300c47433573b7a41630d33
- https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a



