{"id":"CVE-2026-46164","summary":"btrfs: fix double free in create_space_info_sub_group() error path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info_sub_group() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info_sub_group()\n-\u003e btrfs_sysfs_add_space_info_type()\n-\u003e kobject_init_and_add()\n-\u003e failure\n-\u003e kobject_put(&sub_group-\u003ekobj)\n-\u003e space_info_release()\n-\u003e kfree(sub_group)\n\nThen control returns to create_space_info_sub_group(), where:\n\nbtrfs_sysfs_add_space_info_type() returns error\n-\u003e kfree(sub_group)\n\nThus, sub_group is freed twice.\n\nKeep parent-\u003esub_group[index] = NULL for the failure path, but after\nbtrfs_sysfs_add_space_info_type() has called kobject_put(), let the\nkobject release callback handle the cleanup.","modified":"2026-07-08T08:13:41.721264092Z","published":"2026-05-28T09:36:19.810Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46164.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2d59527cba6d59f0d77a75c1101ab4e69758bea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46164.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46164"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"64c7ddda83acfbaa0efb381a1928ce908c584607"},{"fixed":"c2d59527cba6d59f0d77a75c1101ab4e69758bea"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0bd151ce4200ca847990e05cca29a76456982ca5"},{"fixed":"d2a675f2e238ec96c8e91e2718c1f910c9c8fb21"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"190d5a7c4fe42b8c9aa46e3336389e7cb10395bb"},{"fixed":"14b22be1dd844383eb03af9b1ee3b6b25d32aeaf"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f92ee31e031c7819126d2febdda0c3e91f5d2eb9"},{"fixed":"dfd05a16b5c9d1d98b47905f37f2fccda52173d1"},{"fixed":"259af6857a1b4f1e9ef8b780353f9d11c26a22bd"},{"fixed":"a7449edf96143f192606ec8647e3167e1ecbd728"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.1.162"},{"fixed":"6.1.176"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.6.122"},{"fixed":"6.6.141"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.12.67"},{"fixed":"6.12.90"}]}],"versions":["v6.1.175","v6.1.174","v6.1.173","v6.1.172","v6.1.171","v6.1.170","v6.1.169","v6.1.168","v6.1.167","v6.1.166","v6.1.165","v6.1.164","v6.1.163","v6.1.162","v6.6.140","v6.6.139","v6.6.138","v6.6.137","v6.6.136","v6.6.135","v6.6.134","v6.6.133","v6.6.132","v6.6.131","v6.6.130","v6.6.129","v6.6.128","v6.6.127","v6.6.126","v6.6.125","v6.6.124","v6.6.123","v6.6.122","v6.12.89","v6.12.88","v6.12.87","v6.12.86","v6.12.85","v6.12.84","v6.12.83","v6.12.82","v6.12.81","v6.12.80","v6.12.79","v6.12.78","v6.12.77","v6.12.76","v6.12.75","v6.12.74","v6.12.73","v6.12.72","v6.12.71","v6.12.70","v6.12.69","v6.12.68","v6.12.67"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46164.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.90"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.32"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.16.0"},{"fixed":"7.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46164.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}