CVE Catalog

CVE-2026-46164

HighCVSS 7.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile - higher than 4% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel that leads to a double free in the create_space_info_sub_group() function on error. The issue occurs when kobject_init_and_add() fails, resulting in the sub_group object being freed twice.

Risk Assessment

Double freeing memory can lead to unpredictable system behavior, including crashes or potential exploitation by malicious software. Organizations should be aware of the risks associated with system stability and security.

Recommendation

It is recommended to update the Linux kernel to the latest version to mitigate this vulnerability. Additionally, monitor systems for any irregular behavior following the update.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS