btrfs: fix double free in create_space_info() error path

CVE	CVE-2026-46129
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 10:16:28 UTC
Updated	2026-05-30 11:17:23 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000180000 probability, percentile 0.051640000 (date 2026-05-29)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 58208907c4044a764dbd8896026283905da6d9be c2670ec4aa49ca226bce9776601e0da37502be07 git	Not specified
CNA	Linux	Linux	affected bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618 f414b3abbba59ef379a2b3c31f2bdd9358ed5e53 git	Not specified
CNA	Linux	Linux	affected 6cb008f1bb23e023dfe615cca5df14570dfc8da5 9a060970fd7b5e1c561e4ce73cb9949e4269a738 git	Not specified
CNA	Linux	Linux	affected a11224a016d6d1d46a4d9b6573244448a80d4d7f dd6ade0fdd59218d71a981ae7c937a304e49209c git	Not specified
CNA	Linux	Linux	affected a11224a016d6d1d46a4d9b6573244448a80d4d7f 3f487be81292702a59ea9dbc4088b3360a50e837 git	Not specified
CNA	Linux	Linux	affected 20e8f2de3688082eeafeb93c8900485b7542457e git	Not specified
CNA	Linux	Linux	affected 6.6.122 6.6.140 semver	Not specified
CNA	Linux	Linux	affected 6.12.67 6.12.88 semver	Not specified
CNA	Linux	Linux	affected 6.18.7 6.18.30 semver	Not specified
CNA	Linux	Linux	affected 6.1.162 6.2 semver	Not specified
CNA	Linux	Linux	affected 6.19	Not specified
CNA	Linux	Linux	unaffected 6.19 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.