Skip to main content

Linux Kernel CVE-2026-46159

| EUVDEUVD-2026-32786 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8m37-fqxx-cfwj
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 21:08 vuln.today
CVSS changed
Jun 09, 2026 - 21:07 NVD
4.7 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak

btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.

When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.

Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.

AnalysisAI

Kernel heap memory disclosure in the Linux btrfs subsystem allows a low-privileged local user to read uninitialized kmalloc heap bytes from kernel memory via a TOCTOU race in the btrfs_ioctl_space_info() code path. Affected systems are those running btrfs filesystems on kernel versions dating back to 2.6.34; the race window opens when groups_sem is released between the slot-counting and buffer-filling passes of the ioctl, and concurrent block group removal shrinks the actual entry count below the allocated buffer size, causing copy_to_user() to copy trailing uninitialized heap data into userspace. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low (0.02%), but patched stable releases are available.

Technical ContextAI

The vulnerability resides in the btrfs filesystem driver's btrfs_ioctl_space_info() function in the Linux kernel (CWE-367: Time-Of-Check Time-Of-Use Race Condition). The ioctl operates in two passes: first it acquires groups_sem (an rwlock), counts RAID-typed block group entries to compute alloc_size, then releases the lock before re-acquiring it for the second pass that fills the kmalloc'd buffer. The release of groups_sem between passes creates a concurrent-modification window. If another thread removes a block group during this window, the second pass writes fewer entries than alloc_size bytes accounts for, leaving trailing kmalloc bytes uninitialized. The subsequent copy_to_user() call then transmits the full alloc_size - including those uninitialized trailing bytes - to userspace, constituting a heap information leak. The fix patches the code to copy only the actually-filled total_spaces entries and switches the allocation to kzalloc to zero-initialize memory and prevent future similar leaks. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* from version 2.6.34 onward.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel release: 6.6.140 or later for the 6.6.x LTS branch, 6.12.90 or later for the 6.12.x branch, 7.0.7 or later for the 7.0.x branch, 6.18.32 or later for the 6.18.x branch, or 7.1-rc1 or later for mainline - per EUVD-2026-32786 and the upstream commits at https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a and related links. Distributions (Debian, Ubuntu, RHEL, SUSE) should be monitored for backported kernel updates incorporating these commits. As a compensating control where patching is not immediately feasible, restricting the use of btrfs filesystems to trusted users only limits exploitation surface, since the attack requires a local user capable of issuing ioctl calls against a btrfs-mounted volume; note that this does not eliminate the vulnerability but removes unprivileged access. Disabling btrfs entirely (if the system uses ext4/xfs instead) eliminates the attack path entirely with no functional trade-off for non-btrfs workloads. No workaround exists that preserves full btrfs functionality while blocking the race without the kernel patch.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy