CVE-2026-46129 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837
https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738
https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07
https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c
https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53

History

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
Title		btrfs: fix double free in create_space_info() error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837 https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738 https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07 https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:44.271Z

Updated: 2026-05-28T09:35:44.271Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46129

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T10:16:28.473

Modified: 2026-05-28T10:16:28.473

Link: CVE-2026-46129

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object