HIGH 7.8

CVE-2026-46129

A double-free memory corruption bug exists in the Linux kernel's Btrfs filesystem implementation. When the kernel initializes and registers filesystem space information objects with the sysfs interface, a failure in that registration process can cause the same memory block to be freed twice. This happens because the error recovery code doesn't account for cleanup already performed by the object release callback. A local attacker with unprivileged user access could trigger this condition and gain kernel-level privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-415
Affected products
5 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46129 is a double-free vulnerability in create_space_info() within the Btrfs subsystem. The vulnerability occurs in the error path when kobject_init_and_add() fails during space info type registration. When kobject_put() is called, it invokes the space_info_release() callback, which frees the space_info structure. Control then returns to create_space_info() where the error handler again calls kfree(space_info), resulting in a use-after-free and potential kernel code execution. The fix requires conditional logic: direct kfree() for early failure paths, but deferred cleanup via kobject callbacks after kobject_put() is invoked.

Business impact

This vulnerability poses a direct privilege escalation risk for multi-user or containerized Linux systems. Any user with local access can crash the kernel or execute arbitrary code with kernel privileges, leading to complete system compromise. For cloud providers, container orchestration platforms, and shared hosting environments, this represents a critical containment breach. Even single-user systems running untrusted services or exposed to local network attackers are at risk. Data breach, denial of service, and lateral movement to other systems are all plausible outcomes.

Affected systems

The Linux kernel versions running Btrfs filesystem code are affected. Btrfs is commonly used in enterprise Linux distributions (RHEL, Ubuntu, SLES), cloud platforms, and storage appliances. Systems must have Btrfs compiled into the kernel or loaded as a module, and must handle space information registration during filesystem operations or initialization. Verify the specific kernel version and Btrfs patch status against your vendor's security advisory for exact affected ranges.

Exploitability

The vulnerability is exploitable by local authenticated users with standard (unprivileged) permissions. Exploitation requires triggering the specific error condition in kobject_init_and_add() during space info registration, which may involve filesystem mount operations, out-of-memory scenarios, or sysfs naming conflicts. No network access or special capabilities are required. The CVSS score of 7.8 (HIGH) reflects the local attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Remediation

Patch your Linux kernel to a version that includes the fix for CVE-2026-46129. This fix modifies the error handling in create_space_info() to avoid double-free by letting the kobject release callback handle cleanup after kobject_put() is called. Verify the exact patched kernel version from your Linux distribution's security advisory. If immediate patching is not possible, restrict local user access and disable Btrfs on systems where it is not essential.

Patch guidance

Monitor your Linux distribution's security advisories and kernel update channels (kernel.org, Red Hat Security Advisories, Ubuntu Security Notices, SLES Security Updates, etc.) for patches addressing CVE-2026-46129. Apply the patch as part of your standard kernel update process. Test in a non-production environment first to ensure compatibility with your workloads. Kernel patches typically require a system reboot to take effect. Document the patch version applied for audit and compliance purposes.

Detection guidance

Monitor system logs for kernel oops, panic, or memory corruption warnings tied to Btrfs space info operations. Intrusion detection systems can monitor for abnormal privilege escalation patterns from unprivileged processes. Memory sanitizer tools (KASAN, MSAN) in debugging kernels will flag the double-free condition. However, detection after exploitation is often too late; preventive patching is the primary mitigation. Consider kernel hardening features like SMEP and SMAP to raise the bar for exploitation.

Why prioritize this

This vulnerability merits immediate patching due to its HIGH CVSS score, local privilege escalation vector, and applicability to any system running Btrfs. The simplicity of triggering the error condition and the direct path to kernel code execution make it a priority for any organization managing multi-user or container-based Linux infrastructure. Delayed patching leaves systems vulnerable to internal threat actors and compromised services.

Risk score, explained

CVSS 3.1 score of 7.8 reflects: Attack Vector = Local (AV:L), Attack Complexity = Low (AC:L), Privileges Required = Low (PR:L), User Interaction = None (UI:N), Scope = Unchanged (S:U), Confidentiality = High (C:H), Integrity = High (I:H), Availability = High (A:H). The local vector limits exposure to authenticated users, but the low complexity and high impact on all three security pillars (CIA) make this a serious kernel vulnerability.

Frequently asked questions

Do I need Btrfs enabled to be vulnerable?

Yes. The vulnerability is specific to the Btrfs filesystem code path. Systems using ext4, XFS, or other filesystems are not affected. Check your kernel configuration and mounted filesystems to determine if Btrfs is in use. Compile-time disabling of Btrfs eliminates the risk.

Can this be exploited remotely?

No. The attack vector is Local only (AV:L). The attacker must have direct access to the system via a local user account or service. Remote exploitation is not possible; however, a compromised container, VM guest, or service running as an unprivileged user can exploit this to gain kernel access.

What triggers the vulnerability?

The vulnerability is triggered when kobject_init_and_add() fails during space info registration, which can occur during Btrfs mount, space management operations, or under resource constraints like out-of-memory conditions. Normal Btrfs operations may not trigger it, but targeted workloads or fault-injection testing can. Exploitation typically requires deliberate triggering of the error path.

Is there a workaround if I cannot patch immediately?

Partial mitigations include: disabling Btrfs if not required, restricting local user access and container privileges, and enabling kernel hardening features (SMEP, SMAP, SELinux enforcing mode). However, these are not substitutes for patching. Prioritize kernel updates as the primary remediation.

This analysis is based on publicly available vulnerability data and vendor advisories current as of the publication date. Specific affected kernel versions, patch availability, and timeline vary by Linux distribution. Consult your distribution's security advisories and kernel vendor directly for authoritative patch information and support. This summary does not constitute legal or compliance advice; organizations should assess their own risk posture and remediation capability. Proof-of-concept code, exploitation techniques, and detailed attack vectors are intentionally omitted from this report. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-46162HIGH

    CVE-2026-46162: Linux ice Driver Double-Free Kernel Vulnerability — Privilege Escalation Risk

  • CVE-2026-46164HIGH

    CVE-2026-46164: Linux Btrfs Double-Free Kernel Vulnerability – Patch Guidance

  • CVE-2026-44422HIGH

    CVE-2026-44422: FreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)