HIGH
btrfs SpaceInfo Double-Free
CVE-2026-46164
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI4.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
02KernelScan AI Analysis
Risk summary
Users with root privileges can trigger a double-free vulnerability in the btrfs filesystem's space info management during administrative filesystem operations (such as mount, balance, or device addition), leading to kernel memory corruption and system denial of service. The vulnerability occurs in the error path when creating space info sub-groups, where a kobject release callback and an explicit kfree both free the same object.
Vulnerability analysis
The root cause is improper error handling in create_space_info_sub_group(). When kobject_init_and_add() fails, it invokes kobject_put(), which triggers space_info_release() to free sub_group. The error path then incorrectly calls kfree(sub_group) again, causing a double free. The fix removes the redundant kfree() and lets the kobject release callback handle cleanup. This code path is reached during btrfs operations that create space info sub-groups, such as mounting a filesystem with specific block group configurations or performing balance/relocation operations, which require root-level privileges (CAP_SYS_ADMIN).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.90 | 14b22be1dd84 |
| 6.18 | 6.18.32 | 259af6857a1b |
| 6.2 | 6.2 | dfd05a16b5c9 |
| 6.6 | 6.6.141 | d2a675f2e238 |
| 7.0 | 7.0.7 | a7449edf9614 |
| mainline | 7.1-rc1 | — |