CVE-2026-46164 Linux CVE debrief

Who should care

Linux system administrators running Btrfs filesystems, kernel maintainers, and security teams responsible for fleet kernel patch management

Technical summary

The vulnerability stems from improper error handling in the Btrfs space info subsystem. When sysfs registration fails via `kobject_init_and_add()`, the kobject's reference counting mechanism automatically invokes `space_info_release()` through `kobject_put()`, which frees the `sub_group` structure. However, the calling function `create_space_info_sub_group()` subsequently executes its own `kfree(sub_group)`, resulting in a use-after-free condition on the freed pointer and potential kernel memory corruption. The resolution modifies the error path to set `parent->sub_group[index] = NULL` while deferring all cleanup to the kobject release callback, eliminating the duplicate free.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches as referenced in official CVE record
• Update to patched kernel versions when available from distribution maintainers
• Monitor Btrfs filesystem operations for stability issues on unpatched systems
• Review kernel crash logs for signs of memory corruption in space info sub-group handling

Evidence notes

Vulnerability description and fix details sourced from official CVE record and kernel.org git commits. The issue was resolved by modifying error handling in `create_space_info_sub_group()` to avoid duplicate memory deallocation.

Official resources