PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46159 Linux CVE debrief

A Time-of-Check to Time-of-Use (TOCTOU) race condition in the Linux kernel's Btrfs filesystem driver can lead to information disclosure. The vulnerability exists in `btrfs_ioctl_space_info()`, which performs two passes over block group RAID type lists: first to count entries and allocate a buffer, then to fill that buffer. The `groups_sem` rwlock is released between these passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, `copy_to_user()` copies the full allocated buffer size—including trailing uninitialized kernel heap memory—to userspace. The fix copies only the actually-filled entry count and switches to `kzalloc` to prevent heap data leakage from any future size mismatches.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Linux system administrators running Btrfs filesystems, kernel security teams, and organizations with strict kernel memory isolation requirements

Technical summary

The `btrfs_ioctl_space_info()` function in the Linux kernel Btrfs driver contains a TOCTOU vulnerability where the `groups_sem` lock is dropped between counting block group entries and filling the user buffer. Concurrent block group removal can reduce the actual entry count below the allocated buffer size, causing `copy_to_user()` to copy uninitialized kernel heap memory to userspace. The remediation copies only filled entries and uses `kzalloc` for defense-in-depth.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from your Linux distribution
  • Monitor vendor security advisories for patched kernel packages
  • Restrict untrusted user access to Btrfs ioctl interfaces until patching is complete
  • Review systems with Btrfs filesystems for unauthorized access patterns

Evidence notes

CVE description confirms TOCTOU race between allocation-size counting pass and data-filling pass with `groups_sem` released between them. Kernel commit references indicate stable backports. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-28