In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)

Then control returns to create_space_info():

btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)

This causes a double free.

Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
58208907c4044a764dbd8896026283905da6d9be affected < c2670ec4aa49ca226bce9776601e0da37502be07
bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618 affected < f414b3abbba59ef379a2b3c31f2bdd9358ed5e53
6cb008f1bb23e023dfe615cca5df14570dfc8da5 affected < 9a060970fd7b5e1c561e4ce73cb9949e4269a738
a11224a016d6d1d46a4d9b6573244448a80d4d7f affected < dd6ade0fdd59218d71a981ae7c937a304e49209c
a11224a016d6d1d46a4d9b6573244448a80d4d7f affected < 3f487be81292702a59ea9dbc4088b3360a50e837
20e8f2de3688082eeafeb93c8900485b7542457e affected
6.6.122 affected < 6.6.140
6.12.67 affected < 6.12.88
6.18.7 affected < 6.18.30
6.1.162 affected < 6.2
Linux Linux affected
Version Status Constraints
6.19 affected
0 unaffected < 6.19
6.6.140 unaffected ≤ 6.6.*
6.12.88 unaffected ≤ 6.12.*
6.18.30 unaffected ≤ 6.18.*
7.0.7 unaffected ≤ 7.0.*
7.1-rc1 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux Subscribe
Linux Kernel Subscribe

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837 cve-icon cve-icon
https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738 cve-icon cve-icon
https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07 cve-icon cve-icon
https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c cve-icon cve-icon
https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53 cve-icon cve-icon
History

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
Title btrfs: fix double free in create_space_info() error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:44.271Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46129

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.473

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:15:20Z

Weaknesses