HIGH 7.0

CVE-2026-46164

A memory management bug in the Linux kernel's Btrfs filesystem can cause the same memory region to be freed twice when a sysfs initialization step fails. This double-free condition can lead to memory corruption and potentially allow an attacker with local access to crash the system or execute code with elevated privileges. The issue occurs in error handling code that wasn't properly coordinated between two layers of the filesystem's initialization logic.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-415
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46164 is a double-free vulnerability in the Btrfs filesystem's create_space_info_sub_group() function. When kobject_init_and_add() fails during sysfs registration of a space info subgroup, the error handling chain results in the sub_group structure being freed twice: once by the kobject release callback (space_info_release()) triggered by kobject_put(), and again by the caller function's error path. The root cause is inadequate separation of responsibility between btrfs_sysfs_add_space_info_type() and its caller regarding ownership of the sub_group allocation. The fix ensures that parent->sub_group[index] remains NULL on failure and allows the kobject callback to handle cleanup without redundant kfree() calls.

Business impact

Exploitation of this vulnerability could allow unprivileged local users to trigger a kernel panic or memory corruption, affecting system availability and potentially confidentiality or integrity depending on how the freed memory is reused. For organizations running Btrfs-based infrastructure—particularly in cloud environments, container hosts, or NAS appliances—this represents a denial-of-service and potential privilege escalation risk. Systems with multi-tenant or untrusted-user scenarios are at heightened risk.

Affected systems

The Linux kernel is affected. Systems using the Btrfs filesystem are at risk, particularly those where local users or container tenants can trigger filesystem initialization errors (e.g., by mounting Btrfs volumes with specific metadata patterns or during dynamic space group reconfiguration). Verify against vendor advisories for specific kernel versions containing this code path.

Exploitability

Exploitation requires local access and the ability to induce the error condition in create_space_info_sub_group(), making the attack vector local with high complexity. The CVSS score of 7.0 (HIGH) reflects the serious impact on system stability and potential for privilege escalation, but the high complexity and requirement for user interaction temper the risk relative to remote exploits. This is not currently tracked as a known exploited vulnerability in the wild.

Remediation

Apply a kernel update that includes the fix for CVE-2026-46164. The patch modifies the error handling in create_space_info_sub_group() to properly delegate memory cleanup to the kobject release callback, eliminating the double-free condition. Verify the specific patched kernel version from your Linux distribution or the upstream kernel project.

Patch guidance

Check your Linux distribution's security advisories for kernel updates addressing this issue. Patches should be available from upstream linux kernel repositories and distribution maintainers (Ubuntu, RHEL, Debian, SUSE, etc.). Test patches in non-production environments before broad deployment. For systems using Btrfs heavily, prioritize this update within your standard patching cycle. No workaround exists other than updating the kernel.

Detection guidance

Monitor system logs for kernel oops or panic messages related to Btrfs sysfs operations, particularly those mentioning space_info or kobject errors. Use dynamic analysis tools (KASAN, UBSAN) in test environments to detect double-free conditions. Kernel tracing with ftrace or eBPF can capture calls to btrfs_sysfs_add_space_info_type() and their outcomes. Validate running kernel versions against upstream advisories to confirm whether your deployment includes the vulnerable code.

Why prioritize this

A CVSS 7.0 (HIGH) kernel memory vulnerability affecting a widely-used filesystem deserves prompt attention. While exploitation requires local access and induced error conditions, the impact on system stability and the potential for privilege escalation in multi-tenant or untrusted-user environments make this a material risk. Organizations using Btrfs should prioritize this patch; others should schedule it in their normal cycle.

Risk score, explained

The score of 7.0 reflects HIGH severity due to high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), but is moderated by the requirement for local access (AV:L), high attack complexity to trigger the error path (AC:H), and user interaction needed to induce the condition (UI:R). The vulnerability is serious for local attackers but not as critical as remote or network-accessible flaws.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. This is a local vulnerability (AV:L) requiring local access to the system. Remote exploitation is not possible.

What is a double-free vulnerability and why is it dangerous?

A double-free occurs when the same memory region is deallocated twice. This corrupts kernel memory management structures, enabling an attacker to overwrite critical data, cause crashes, or potentially execute code. In this case, freeing the same structure twice can lead to kernel panic or heap corruption.

Do I need to worry about this if I'm not using Btrfs?

If your systems do not use Btrfs as a filesystem, this specific vulnerability does not affect you. However, if you are uncertain, check your storage configuration or consult with your infrastructure team.

What should I do if I cannot patch immediately?

Restrict local user access and container tenant privileges where possible, limit the ability to mount or reconfigure Btrfs volumes, and monitor kernel logs for related errors. These are temporary mitigations only; patching is the definitive fix.

This analysis is provided for informational purposes. Verify all patch versions, vendor advisories, and affected product lists directly with Linux distributors and upstream kernel maintainers. No exploit code or weaponizable details are included. Security teams should validate risk and prioritization against their own threat models and infrastructure. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-46129HIGH

    CVE-2026-46129: Linux Kernel Btrfs Double-Free Memory Corruption – Privilege Escalation

  • CVE-2026-46162HIGH

    CVE-2026-46162: Linux ice Driver Double-Free Kernel Vulnerability — Privilege Escalation Risk

  • CVE-2026-44422HIGH

    CVE-2026-44422: FreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)