btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46159
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-28 10:16:31 UTC
Updated2026-06-19 13:16:34 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.

Risk And Classification

Primary CVSS: v3.1 4.7 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.050080000 (date 2026-06-02)

Problem Types: CWE-367

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc f407aad350bdea4db300c47433573b7a41630d33 git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc d8224b1be6627c6c3b204bfb264508d27c65ac44 git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc d69a4a6813fdba7c4cc3695a7e843842b240790d git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc f5ee467b56764964027c361641f64953fc0f8f9a git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc 4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3 git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc 5d12e0ab009ade48c1bff9324fd9bea2c773d088 git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc d09d67d5de577cedae3de9497dff217e0ac8b641 git Not specified
CNA Linux Linux affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc 973e57c726c1f8e77259d1c8e519519f1e9aea77 git Not specified
CNA Linux Linux affected 2.6.34 Not specified
CNA Linux Linux unaffected 2.6.34 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.90 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.32 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.7 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d69a4a6813fdba7c4cc3695a7e843842b240790d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f407aad350bdea4db300c47433573b7a41630d33 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d8224b1be6627c6c3b204bfb264508d27c65ac44 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report