Skip to main content

Linux Kernel CVE-2026-31434

| EUVDEUVD-2026-24757 MEDIUM
Memory Leak (CWE-401)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 15:23 vuln.today
CVSS changed
May 20, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24757
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix leak of kobject name for sub-group space_info

When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked.

This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error:

unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e

To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.

AnalysisAI

Memory leak in the Linux kernel btrfs filesystem driver allows a local authenticated attacker to gradually exhaust kernel memory through repeated mount and unmount operations on affected configurations. The flaw exists in check_removing_space_info(), which incorrectly uses kfree() on kobject-initialized sub-group space_info elements instead of the proper kobject_put() teardown path, leaving kobj->name string allocations unreferenced and unfreed. No public exploit exists (EPSS 0.02%, 7th percentile) and the vulnerability is not listed in CISA KEV, placing real-world risk well below the CVSS 5.5 Medium score might suggest.

Technical ContextAI

The vulnerability resides in the btrfs VFS sysfs layer of the Linux kernel (fs/btrfs/sysfs.c), specifically in the lifecycle management of space_info sub-group kobjects. When create_space_info_sub_group() initializes space_info->sub_group[] array elements, it invokes btrfs_sysfs_add_space_info_type(), which calls kobject_init_and_add() - this function internally calls kstrdup() to allocate the kobject's name string on the kernel heap. CWE-401 (Missing Release of Memory after Effective Lifetime) is the root cause: the corresponding teardown function check_removing_space_info() calls kfree() directly on these elements rather than btrfs_sysfs_remove_space_info() (which calls kobject_put()), bypassing the reference-counted kobject destruction path and orphaning the kobj->name allocation. The kmemleak trace confirms 16-byte heap objects allocated via kstrdup() within kobject_set_name_vargs() are never freed. Affected CPE is cpe:2.3:o:linux:linux_kernel across multiple stable branches. The bug was discovered via blktests zbd/009 on zoned block device (ZBD) configurations, indicating sub-group space_info creation is triggered specifically by ZBD-backed btrfs volumes.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.1.168 or later in the 6.1 stable series, 6.6.131 or later in the 6.6 series, 6.12.80 or later in the 6.12 series, 6.18.21 or later in the 6.18 series, 6.19.11 or later in the 6.19 series, or the 7.0 stable release. Upstream fix commits are available at https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a, https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc, https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949, https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48, https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c, and https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41. On systems where kernel patching is not immediately feasible, restricting btrfs mount privileges to root-only via mount policy (e.g., removing CAP_SYS_ADMIN or namespace mount capabilities from unprivileged users) reduces exposure with the trade-off of limiting user-namespace container workflows. Systems not using btrfs or not using zoned block devices are not affected and require no remediation. Distribution-specific advisories from RHEL, Ubuntu, and SUSE should be monitored for backported patches to their respective kernel packages.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy