CVE-2026-46159
A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-367
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-19
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46159 is a time-of-check-time-of-use (TOCTOU) race condition in btrfs_ioctl_space_info(). The vulnerability occurs because the function performs two separate passes over block group RAID type lists without holding appropriate synchronization: a first pass counts entries to allocate a buffer, and a second pass fills that buffer. The groups_sem rwlock is released between passes, creating a window during which concurrent block group removal can reduce the actual entry count. When the second pass fills fewer entries than counted in the first pass, the subsequent copy_to_user() call transmits the full buffer size including uninitialized trailing bytes—leaking kernel heap memory to userspace. The fix involves copying only the actual filled count rather than the pre-allocated size, combined with using kzalloc for zeroed allocation to prevent future similar leaks.
Business impact
This information disclosure vulnerability allows local attackers to read sensitive kernel memory that may contain cryptographic keys, authentication tokens, or other confidential data residing on the heap. In multi-tenant container or virtualization environments, this could facilitate privilege escalation or lateral movement. The impact is confined to local attackers and requires specific ioctl invocation patterns, but the nature of heap memory leaks makes the exact sensitive data exposure unpredictable and potentially severe. Organizations running btrfs on systems with untrusted local users face elevated risk.
Affected systems
All versions of the Linux kernel using the btrfs filesystem driver are potentially affected. This includes systems where btrfs is compiled as a module or built into the kernel, regardless of whether actively in use. Enterprise deployments of Linux with btrfs for storage pools, container hosts using btrfs backend drivers, and specialized storage appliances are most commonly affected. The vulnerability requires local code execution capability; remote exploitation is not possible.
Exploitability
Exploitation requires local user-level access to a system running btrfs and the ability to execute the vulnerable ioctl. While no public exploit is known to be in active use, the technical barrier is low—a malicious local user can repeatedly trigger the ioctl under varying concurrency conditions to harvest leaked kernel memory. The race condition window is narrow but achievable through persistent attempts. This is not remotely exploitable and does not grant kernel code execution; it is purely an information disclosure channel.
Remediation
Apply kernel patches that fix the TOCTOU race by: (1) removing the synchronization gap between counting and filling the space info buffer, (2) ensuring copy_to_user() copies only the actual number of filled entries rather than the preallocated size, and (3) using kzalloc instead of kmalloc to zero-initialize the buffer. Systems should update the Linux kernel to a version containing this fix. Until patching is possible, restrict ioctl access via LSM policies or disable btrfs on systems where it is not essential.
Patch guidance
Consult the Linux kernel security advisory and your distribution's kernel update channel for the specific patched version. Verify the patch commit message mentions the TOCTOU race fix in btrfs_ioctl_space_info() and confirms the use of kzalloc and corrected copy size. Most major distributions (Red Hat, Ubuntu, Debian, SUSE) have released or will release kernel updates addressing this vulnerability. Test patches in non-production environments before deployment, particularly for storage-critical systems. Review btrfs usage across your infrastructure to prioritize systems for patching.
Detection guidance
Monitor for unusual btrfs ioctl activity (BTRFS_IOC_SPACE_INFO) via audit logs or eBPF-based tracing. While the vulnerability itself leaves limited artifacts, patterns of repeated rapid ioctl calls may indicate exploitation attempts. System log analysis for memory access violations or warnings from address sanitizers can help in development and test environments. Host-based detection is challenging because the leak is silent; focus on kernel version inventory and patch compliance scanning.
Why prioritize this
Although classified as MEDIUM severity (CVSS 4.7), this vulnerability should be prioritized for patching in environments where btrfs is actively used and local user accounts exist. The information disclosure channel, while not directly enabling privilege escalation, can facilitate attacks in multi-stage campaigns. Organizations with strict data confidentiality requirements, those handling cryptographic material on btrfs volumes, or those in regulated industries should treat this as higher priority. Systems with btrfs disabled or on airgapped networks can be deprioritized.
Risk score, explained
The CVSS 4.7 MEDIUM score reflects: (1) Low attack vector (local only), (2) High attack complexity due to race condition timing requirements, (3) Low privilege requirement (unprivileged user sufficient), (4) No impact on integrity or availability (information disclosure only), but (5) Confidentiality impact from kernel memory exposure. The score appropriately captures the practical risk for most deployments while acknowledging the severity for sensitive environments. Risk context increases significantly in multi-tenant scenarios or systems handling secrets.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. This vulnerability requires local code execution on the affected system. Remote attackers cannot trigger the race condition or access the leaked memory. If your systems are properly hardened against local privilege escalation and untrusted local users, exposure is reduced.
Does this vulnerability allow privilege escalation to root?
No. The vulnerability is information disclosure only. It allows reading uninitialized kernel memory but does not grant the ability to execute kernel code or modify kernel state. However, leaked credentials or keys could enable subsequent privilege escalation attacks.
Which Linux distributions are affected?
All distributions shipping the Linux kernel with btrfs support are potentially vulnerable until they provide updated kernel versions containing the fix. This includes Red Hat Enterprise Linux, Ubuntu, Debian, SUSE, and others. Check your distribution's security advisories for patch availability and versions.
What should I do if I cannot immediately patch my kernel?
Restrict access to btrfs ioctl operations using SELinux or AppArmor policies if possible. Remove unnecessary local user accounts on systems with btrfs. Disable btrfs if it is not actively required for your workload. Increase monitoring of system calls and audit logging to detect exploitation attempts. Plan kernel patching within your change management window as soon as safely possible.
This analysis is provided for informational purposes to support vulnerability management decision-making. The technical details are derived from the CVE record and kernel security advisories but do not constitute legal advice or a comprehensive security audit. Verify all patch versions, vendor guidance, and system compatibility against official Linux distribution advisories before deploying updates. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consultation with your security team and vendor support for environment-specific guidance. Exploit code or detailed weaponization guidance is not provided; this explainer is for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-59610MEDIUM
CVE-2025-59610: Qualcomm Memory Corruption via IOCTL API Version Mismatch – Patch Guidance
- CVE-2026-20454MEDIUM
CVE-2026-20454: MediaTek geniezone Race Condition Privilege Escalation (CVSS 6.4)
- CVE-2025-64390HIGH
CVE-2025-64390: PlayStation 4 BD-J Sandbox Escape Privilege Escalation (Firmware 13.00-13.02)
- CVE-2026-25260HIGH
CVE-2026-25260 Qualcomm Firmware Memory Corruption Vulnerability
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUM
CVE-2025-71314: Linux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUM
CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUM
CVE-2026-10018: Integer Overflow in Chrome ANGLE GPU Graphics Layer