Skip to main content

Linux Kernel EUVDEUVD-2026-32791

| CVE-2026-46164 HIGH
Double Free (CWE-415)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rv72-f625-5h95
7.0
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.0 HIGH
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:59 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.0 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.0

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info_sub_group() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)

Then control returns to create_space_info_sub_group(), where:

btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)

Thus, sub_group is freed twice.

Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

AnalysisAI

Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.

Technical ContextAI

The flaw resides in fs/btrfs/space-info.c within the btrfs (B-tree filesystem) subsystem of the Linux kernel, specifically in the space accounting code that organizes block group reservations using sysfs-exposed kobject hierarchies. The root cause is a classic ownership/lifetime bug (CWE-415 Double Free class, though CWE is reported as N/A): kobject_init_and_add() failure paths in the kernel require callers to use kobject_put() to trigger the release callback (space_info_release()) which performs kfree(), but create_space_info_sub_group() additionally called kfree() on the same pointer after the helper had already done so. CPE data from EUVD identifies the regression spans multiple stable branches including 6.1.162 to pre-6.2, 6.6.122 to 6.6.141, 6.12.67 to 6.12.90, and mainline 6.16, indicating the bug was introduced and backported widely before being fixed.

RemediationAI

Vendor-released patches are available in stable kernel versions 6.6.141, 6.12.90, 6.18.32, and 7.1-rc1 per EUVD patch metadata - upgrade to one of these or a later release in the appropriate branch. The upstream fix commits can be applied directly from https://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf, https://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd, https://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728, https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21, and https://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1. As a compensating control where prompt patching is infeasible, restrict the ability of untrusted users to mount or manipulate btrfs filesystems (disallow user-namespaced btrfs mounts, restrict CAP_SYS_ADMIN, and avoid exposing btrfs to untrusted containers), accepting the trade-off of reduced filesystem flexibility for tenants; enabling kernel hardening features such as SLAB_FREELIST_HARDENED and CONFIG_SLUB_DEBUG can also make double-free exploitation substantially harder at a small performance cost.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy