PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31434 Linux CVE debrief

CVE-2026-31434 is a Linux kernel Btrfs issue where cleanup for sub-group space_info objects can skip the matching sysfs removal path, leaking kobject name memory. The flaw is a memory leak rather than a direct integrity issue, but it can still matter on systems that repeatedly exercise the affected Btrfs path. NVD rates it medium severity (CVSS 5.5) and the record maps it to a local-privileged attack scenario with high availability impact.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-05-20
Advisory published
2026-04-22
Advisory updated
2026-05-20

Who should care

Linux administrators, kernel maintainers, and platform teams running Btrfs on affected kernel releases should care most. Systems that use Btrfs and may exercise space-info sub-group creation and teardown, especially in test, storage appliance, or container-host environments, are the most relevant operationally.

Technical summary

According to the CVE description, create_space_info_sub_group() allocates entries in space_info->sub_group[] and initializes each with kobject_init_and_add() through btrfs_sysfs_add_space_info_type(). When check_removing_space_info() frees those entries, it calls kfree() instead of btrfs_sysfs_remove_space_info(), so kobject_put() is not reached and the associated kobj->name allocations leak. The issue is reproducible with blktests zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK, which reports the leaked allocation originating from kobject_set_name_vargs() and btrfs_sysfs_add_space_info_type().

Defensive priority

Medium. This is a confirmed memory leak in the Linux kernel with a clear upstream fix path and bounded impact, but it can accumulate over time and affect system stability or availability. Prioritize patching if you run Btrfs on kernels in the affected release ranges.

Recommended defensive actions

  • Upgrade to a kernel release that includes the upstream fix or the vendor backport for your branch.
  • If you maintain kernels, verify the cleanup path for Btrfs space_info sub-groups uses btrfs_sysfs_remove_space_info() rather than direct kfree().
  • Check whether your fleet includes affected versions listed by NVD, including 6.1.x, 6.6.x, 6.12.x, 6.16+, 6.19+, and 7.0 release candidates.
  • Use CONFIG_DEBUG_KMEMLEAK in test or staging where practical to validate that the leak no longer reproduces.
  • Track vendor advisories or stable kernel updates that reference the linked official patch commits.

Evidence notes

The CVE description states that the leak happens because check_removing_space_info() frees space_info->sub_group[] elements without calling btrfs_sysfs_remove_space_info(), preventing kobject_put() from releasing kobj->name. The supplied CVE record also includes a kmemleak backtrace showing allocation from kobject_set_name_vargs() through btrfs_sysfs_add_space_info_type() and identifies reproduction with blktests zbd/009 on CONFIG_DEBUG_KMEMLEAK kernels. NVD lists six official git.kernel.org stable patch references and affected version ranges for the Linux kernel.

Official resources

Published 2026-04-22T14:16:36.533Z and modified 2026-05-20T15:11:33.287Z in the supplied CVE/NVD record.