Skip to main content

Linux Kernel CVE-2026-46129

| EUVDEUVD-2026-32888 HIGH
Double Free (CWE-415)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4m7v-4fw7-9hch
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:54 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)

Then control returns to create_space_info():

btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)

This causes a double free.

Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

AnalysisAI

Local privilege escalation potential in the Linux kernel's btrfs filesystem stems from a double-free in create_space_info() when kobject_init_and_add() fails during sysfs registration. The flaw affects multiple stable Linux branches (6.6.x, 6.12.x, 6.18.x prior to the fixed releases) and could allow a local attacker with low privileges to corrupt kernel memory; no public exploit identified at time of analysis and EPSS is very low (0.02%).

Technical ContextAI

The bug lives in the btrfs (B-Tree File System) space-info accounting subsystem (fs/btrfs/space-info.c). create_space_info() calls btrfs_sysfs_add_space_info_type(), which invokes kobject_init_and_add(). On failure, the kobject infrastructure calls kobject_put(), which triggers space_info_release() and frees the space_info structure. Control then returns to create_space_info(), which jumps to its 'out_free' label and calls kfree(space_info) a second time on the already-freed object - a classic CWE-415 (Double Free) pattern. The fix preserves the direct kfree() for the earlier allocation-failure path but defers cleanup to the kobject release callback once kobject_put() has been issued. Affected CPEs all map to cpe:2.3:o:linux:linux_kernel across the 6.6, 6.12, and 6.18 stable lines, plus mainline 6.19 development branches.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, or 7.0.7 (and 7.1-rc1 for mainline) - whichever corresponds to your branch - via your distribution's kernel update channel; the upstream commits are linked at https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c and the other git.kernel.org references above. If immediate patching is not possible, compensating controls include restricting local shell access to trusted users only, disabling btrfs mount/format capabilities for unprivileged users by tightening CAP_SYS_ADMIN and removing mount permissions in /etc/fstab user options, and avoiding dynamic creation of new btrfs filesystems or subvolumes under memory-pressure conditions where kobject_init_and_add() is most likely to fail. Avoiding btrfs entirely in favor of ext4/xfs on affected hosts removes exposure but requires data migration and changes snapshot/COW capabilities; constraining local user counts reduces the attacker pool without functional impact.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy