CVE-2026-46164
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free in create_space_info_sub_group() error path
When kobject_init_and_add() fails, the call chain is:
create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)
Then control returns to create_space_info_sub_group(), where:
btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)
Thus, sub_group is freed twice.
Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel btrfs bug: double-free in create_space_info_sub_group() when kobject_init_and_add() fails, leading to kernel memory corruption.
Vulnerability
In the Linux kernel's btrfs filesystem, a double-free vulnerability exists in the create_space_info_sub_group() function within fs/btrfs/sysfs.c. When kobject_init_and_add() fails inside btrfs_sysfs_add_space_info_type(), the error path calls kobject_put() which triggers space_info_release(), freeing the sub_group memory. However, after returning an error, the caller create_space_info_sub_group() also performs kfree(sub_group), leading to a second free of the same pointer. This affects all Linux kernel versions containing this code path prior to the fix commit [1].
Exploitation
An attacker would need to trigger a failure of kobject_init_and_add() within the btrfs sysfs initialization path. This requires the ability to exhaust system resources (e.g., memory pressure) or create conditions that cause the kobject creation to fail. No special privileges beyond local system access are required. The sequence occurs during filesystem setup or mount operations. Actual exploitation of the double-free for code execution would depend on heap manipulation, which is possible but requires specific memory layout control.
Impact
Successful exploitation results in a double-free vulnerability, which can cause kernel memory corruption, leading to system crashes (denial of service) or potentially privilege escalation if an attacker can control the freed memory. The consequence is instability of the system or arbitrary code execution in kernel context.
Mitigation
The fix is included in Linux kernel commits, specifically commit d2a675f2e238ec96c8e91e2718c1f910c9c8fb21 [1]. Users should update to a kernel version containing this fix. No workaround is available for unpatched systems; applying the kernel update is the only mitigation.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10d2a675f2e238btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index 3256a2decbc978..a54649a5e07855 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -263,10 +263,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
14b22be1dd84btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index d059bf5eaa0986..2b71ed343b63dd 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -266,10 +266,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
dfd05a16b5c9btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index c4a50550672da3..b3ff2e1da89ba8 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -276,10 +276,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
a7449edf9614btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index e017bb182c8cd1..8278e7998bc9a0 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -287,10 +287,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
259af6857a1bbtrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index 45ec126fca4f2f..4e5196cf7b352f 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -276,10 +276,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
d2a675f2e238btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index 3256a2decbc978..a54649a5e07855 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -263,10 +263,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
14b22be1dd84btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index d059bf5eaa0986..2b71ed343b63dd 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -266,10 +266,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
dfd05a16b5c9btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index c4a50550672da3..b3ff2e1da89ba8 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -276,10 +276,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
259af6857a1bbtrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index 45ec126fca4f2f..4e5196cf7b352f 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -276,10 +276,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
a7449edf9614btrfs: fix double free in create_space_info_sub_group() error path
1 file changed · +1 −4
fs/btrfs/space-info.c+1 −4 modifieddiff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index e017bb182c8cd1..8278e7998bc9a0 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -287,10 +287,8 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag sub_group->subgroup_id = id; ret = btrfs_sysfs_add_space_info_type(sub_group); - if (ret) { - kfree(sub_group); + if (ret) parent->sub_group[index] = NULL; - } return ret; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Double free in create_space_info_sub_group() error path: after btrfs_sysfs_add_space_info_type() fails, kobject_put() already frees sub_group via the release callback, but the caller then calls kfree(sub_group) again."
Attack vector
An attacker would need to trigger a failure of kobject_init_and_add() inside btrfs_sysfs_add_space_info_type(), which occurs during btrfs space-info sub-group creation on a btrfs filesystem. This is a local vulnerability reachable by mounting or operating a btrfs filesystem under conditions that cause sysfs kobject creation to fail (e.g., memory pressure or sysfs namespace exhaustion). No special privileges beyond the ability to trigger btrfs space-info initialization are required.
Affected code
The vulnerable function is create_space_info_sub_group() in fs/btrfs/space-info.c. The error path after calling btrfs_sysfs_add_space_info_type() previously contained a kfree(sub_group) that caused a double free because the kobject release callback already freed the memory.
What the fix does
The patch removes the kfree(sub_group) call from the error path in create_space_info_sub_group() [patch_id=2898147]. When btrfs_sysfs_add_space_info_type() fails, it has already called kobject_put(), which triggers space_info_release() and frees sub_group. The old code then freed sub_group a second time. The fix keeps parent->sub_group[index] = NULL to avoid a dangling pointer, but lets the kobject release callback handle the memory cleanup.
Preconditions
- authAbility to mount or operate a btrfs filesystem
- inputKernel conditions that cause kobject_init_and_add() to fail (e.g., memory pressure)
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeafnvd
- git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bdnvd
- git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728nvd
- git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21nvd
- git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1nvd
News mentions
0No linked articles in our index yet.