{"id":"CVE-2026-46129","summary":"btrfs: fix double free in create_space_info() error path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info()\n-\u003e btrfs_sysfs_add_space_info_type()\n-\u003e kobject_init_and_add()\n-\u003e failure\n-\u003e kobject_put(&space_info-\u003ekobj)\n-\u003e space_info_release()\n-\u003e kfree(space_info)\n\nThen control returns to create_space_info():\n\nbtrfs_sysfs_add_space_info_type() returns error\n-\u003e goto out_free\n-\u003e kfree(space_info)\n\nThis causes a double free.\n\nKeep the direct kfree(space_info) for the earlier failure path, but\nafter btrfs_sysfs_add_space_info_type() has called kobject_put(), let\nthe kobject release callback handle the cleanup.","modified":"2026-07-08T08:13:41.850871589Z","published":"2026-05-28T09:35:44.271Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46129.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46129.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46129"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"20e8f2de3688082eeafeb93c8900485b7542457e"},{"fixed":"ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"58208907c4044a764dbd8896026283905da6d9be"},{"fixed":"c2670ec4aa49ca226bce9776601e0da37502be07"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618"},{"fixed":"f414b3abbba59ef379a2b3c31f2bdd9358ed5e53"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6cb008f1bb23e023dfe615cca5df14570dfc8da5"},{"fixed":"9a060970fd7b5e1c561e4ce73cb9949e4269a738"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a11224a016d6d1d46a4d9b6573244448a80d4d7f"},{"fixed":"dd6ade0fdd59218d71a981ae7c937a304e49209c"},{"fixed":"3f487be81292702a59ea9dbc4088b3360a50e837"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.1.162"},{"fixed":"6.1.175"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.6.122"},{"fixed":"6.6.140"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.12.67"},{"fixed":"6.12.88"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.18.7"},{"fixed":"6.18.30"}]}],"versions":["v6.1.174","v6.1.173","v6.1.172","v6.1.171","v6.1.170","v6.1.169","v6.1.168","v6.1.167","v6.1.166","v6.1.165","v6.1.164","v6.1.163","v6.1.162","v6.6.139","v6.6.138","v6.6.137","v6.6.136","v6.6.135","v6.6.134","v6.6.133","v6.6.132","v6.6.131","v6.6.130","v6.6.129","v6.6.128","v6.6.127","v6.6.126","v6.6.125","v6.6.124","v6.6.123","v6.6.122","v6.12.87","v6.12.86","v6.12.85","v6.12.84","v6.12.83","v6.12.82","v6.12.81","v6.12.80","v6.12.79","v6.12.78","v6.12.77","v6.12.76","v6.12.75","v6.12.74","v6.12.73","v6.12.72","v6.12.71","v6.12.70","v6.12.69","v6.12.68","v6.12.67","v6.18.29","v6.18.28","v6.18.27","v6.18.26","v6.18.25","v6.18.24","v6.18.23","v6.18.22","v6.18.21","v6.18.20","v6.18.19","v6.18.18","v6.18.17","v6.18.16","v6.18.15","v6.18.14","v6.18.13","v6.18.12","v6.18.11","v6.18.10","v6.18.9","v6.18.8","v6.18.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46129.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.30"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46129.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}