HIGH
btrfs SpaceInfo DoubleFree
CVE-2026-46129
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a double free vulnerability in the btrfs filesystem during space_info creation, leading to kernel crashes and system denial of service. The vulnerability occurs when sysfs initialization fails during filesystem operations, causing the same memory to be freed twice through different code paths.
Vulnerability analysis
The vulnerability is a classic double free bug in the btrfs filesystem's create_space_info() function. When btrfs_sysfs_add_space_info_type() fails, it calls kobject_put() which triggers the space_info_release() callback that frees the space_info structure. However, the error handling in create_space_info() then executes 'goto out_free' which calls kfree(space_info) again on the already-freed memory. The fix changes the error path to return directly instead of jumping to the free label, allowing the kobject release mechanism to handle cleanup properly. This is locally exploitable by any user who can trigger btrfs filesystem operations that create space_info objects.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | ae6d6e31ceb7 |
| 6.12 | 6.12.88 | f414b3abbba5 |
| 6.18 | 6.18.30 | 9a060970fd7b |
| 6.6 | 6.6.140 | c2670ec4aa49 |
| 7.0 | 7.0.7 | dd6ade0fdd59 |
| mainline | 7.1-rc1 | 3f487be81292 |