{"api_version":"1","generated_at":"2026-05-30T06:42:07+00:00","cve":"CVE-2026-46159","urls":{"html":"https://cve.report/CVE-2026-46159","api":"https://cve.report/api/cve/CVE-2026-46159.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46159","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46159"},"summary":{"title":"btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-28 10:16:31","updated_at":"2026-05-28 13:44:01"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a","name":"https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77","name":"https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088","name":"https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641","name":"https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3","name":"https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46159","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46159","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc f5ee467b56764964027c361641f64953fc0f8f9a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc 4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc 5d12e0ab009ade48c1bff9324fd9bea2c773d088 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc d09d67d5de577cedae3de9497dff217e0ac8b641 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7fde62bffb576d384ea49a3aed3403d5609ee5bc 973e57c726c1f8e77259d1c8e519519f1e9aea77 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.34","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.34 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.90 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.32 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46159","cve":"CVE-2026-46159","epss":"0.000180000","percentile":"0.051640000","score_date":"2026-05-29","updated_at":"2026-05-30 00:13:24"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/btrfs/ioctl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"f5ee467b56764964027c361641f64953fc0f8f9a","status":"affected","version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","versionType":"git"},{"lessThan":"4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3","status":"affected","version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","versionType":"git"},{"lessThan":"5d12e0ab009ade48c1bff9324fd9bea2c773d088","status":"affected","version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","versionType":"git"},{"lessThan":"d09d67d5de577cedae3de9497dff217e0ac8b641","status":"affected","version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","versionType":"git"},{"lessThan":"973e57c726c1f8e77259d1c8e519519f1e9aea77","status":"affected","version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/btrfs/ioctl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.34"},{"lessThan":"2.6.34","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.90","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.32","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.90","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.32","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","versionStartIncluding":"2.6.34","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data."}],"providerMetadata":{"dateUpdated":"2026-05-28T09:36:14.676Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a"},{"url":"https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3"},{"url":"https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088"},{"url":"https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641"},{"url":"https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77"}],"title":"btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46159","datePublished":"2026-05-28T09:36:14.676Z","dateReserved":"2026-05-13T15:03:33.102Z","dateUpdated":"2026-05-28T09:36:14.676Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 10:16:31","lastModifiedDate":"2026-05-28 13:44:01","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46159","Ordinal":"1","Title":"btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can ","CVE":"CVE-2026-46159","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46159","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data.","Type":"Description","Title":"btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can "}]}}}