PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46129 Linux CVE debrief

A double-free vulnerability exists in the Linux kernel's Btrfs filesystem, specifically within the `create_space_info()` error handling path. The flaw occurs when `kobject_init_and_add()` fails during sysfs registration: the kobject's release callback (`space_info_release()`) already frees the `space_info` structure via `kfree()`, but control returns to `create_space_info()` which then executes another `kfree(space_info)` at the `out_free` label. This results in the same memory being freed twice, potentially leading to memory corruption, kernel crashes, or exploitable use-after-free conditions. The vulnerability affects kernel versions prior to the fix commits. The resolution modifies the error path to avoid duplicate freeing by allowing the kobject release callback to handle cleanup after `btrfs_sysfs_add_space_info_type()` has been called, while retaining direct `kfree()` only for earlier failure points before kobject initialization.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux system administrators running Btrfs filesystems, kernel maintainers, distribution security teams, and organizations with custom kernel builds using Btrfs

Technical summary

The vulnerability is a double-free memory corruption bug in the Btrfs filesystem's space info initialization code. When `btrfs_sysfs_add_space_info_type()` fails during `kobject_init_and_add()`, the kobject's release callback frees the `space_info` structure, but the caller's error path (`out_free`) performs an additional `kfree()` on the same pointer. This classic double-free pattern can corrupt kernel heap metadata, leading to crashes or potentially exploitable memory reuse. The fix ensures that after kobject initialization is attempted, cleanup is delegated to the kobject release mechanism rather than direct freeing, while preserving direct cleanup for pre-initialization failures.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the fix commits for affected stable branches
  • Prioritize patching systems using Btrfs filesystems
  • Monitor kernel logs for memory corruption indicators or unexpected crashes in Btrfs operations
  • Review custom kernel builds for backport of commits 3f487be81292702a59ea9dbc4088b3360a50e837, 9a060970fd7b5e1c561e4ce73cb9949e4269a738, c2670ec4aa49ca226bce9776601e0da37502be07, dd6ade0fdd59218d71a981ae7c937a304e49209c,
  • f414b3abbba59ef379a2b3c31f2bdd9358ed5e53

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Fix commits identified in kernel.org stable repository. Double-free root cause confirmed through code path analysis in vulnerability description.

Official resources

2026-05-28