CVE-2026-31434
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix leak of kobject name for sub-group space_info
When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked.
This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error:
unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e
To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in btrfs occurs when sub-group space_info kobject names are not freed during removal, leading to kmemleak-detected unreferenced objects.
Vulnerability
Description
CVE-2026-31434 is a memory leak vulnerability in the Linux kernel's btrfs filesystem. The issue lies in the handling of sub-group space_info objects. When create_space_info_sub_group() allocates elements of space_info->sub_group[], it calls kobject_init_and_add() via btrfs_sysfs_add_space_info_type() for each element. However, during the removal process in check_removing_space_info(), the corresponding cleanup function btrfs_sysfs_remove_space_info() is not invoked. Instead, kfree() is used, which fails to release the kobject name string allocated by kobject_set_name_vargs(). This results in a persistent memory leak of the kobj->name objects [1][2].
Exploitation and
Trigger
The vulnerability can be triggered by mounting a btrfs filesystem in a way that creates sub-group space_info entries, for example, when using a dedicated data relocation block group. This can be reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK enabled. The leak is not exploitable for arbitrary code execution or privilege escalation; it is a denial-of-service (DoS) vector through memory exhaustion, as repeated mount/unmount cycles will gradually deplete system memory [1].
Impact
An attacker with the ability to mount and unmount a btrfs filesystem (requiring local access) could repeatedly trigger the memory leak, eventually exhausting kernel memory and causing system instability or crash. The kmemleak feature reports unreferenced objects of size 16 bytes (the kobject name string), but each missing kobject_put() prevents the entire kobject from being freed, leading to a larger cumulative leak [1].
Mitigation
The fix, already merged into the Linux kernel stable tree, replaces the kfree() call with btrfs_sysfs_remove_space_info() in check_removing_space_info(), ensuring proper cleanup of the sub-group sysfs entries and their associated kobject names [4]. Users should apply the corresponding stable kernel updates to mitigate this leak. No workaround is available besides avoiding repeated mount/unmount operations on affected systems until patched.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96anvd
- git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dcnvd
- git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949nvd
- git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48nvd
- git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337cnvd
- git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41nvd
News mentions
0No linked articles in our index yet.