CVE-2026-46129

Source
https://cve.org/CVERecord?id=CVE-2026-46129
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46129.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46129
Downstream
Related
Published
2026-05-28T09:35:44.271Z
Modified
2026-07-08T08:13:41.850871589Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
btrfs: fix double free in create_space_info() error path
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in createspaceinfo() error path

When kobjectinitand_add() fails, the call chain is:

createspaceinfo() -> btrfssysfsaddspaceinfotype() -> kobjectinitandadd() -> failure -> kobjectput(&spaceinfo->kobj) -> spaceinforelease() -> kfree(space_info)

Then control returns to createspaceinfo():

btrfssysfsaddspaceinfotype() returns error -> goto outfree -> kfree(space_info)

This causes a double free.

Keep the direct kfree(spaceinfo) for the earlier failure path, but after btrfssysfsaddspaceinfotype() has called kobject_put(), let the kobject release callback handle the cleanup.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46129.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
20e8f2de3688082eeafeb93c8900485b7542457e
Fixed
ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
58208907c4044a764dbd8896026283905da6d9be
Fixed
c2670ec4aa49ca226bce9776601e0da37502be07
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618
Fixed
f414b3abbba59ef379a2b3c31f2bdd9358ed5e53
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6cb008f1bb23e023dfe615cca5df14570dfc8da5
Fixed
9a060970fd7b5e1c561e4ce73cb9949e4269a738
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a11224a016d6d1d46a4d9b6573244448a80d4d7f
Fixed
dd6ade0fdd59218d71a981ae7c937a304e49209c
Fixed
3f487be81292702a59ea9dbc4088b3360a50e837
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.1.162
Fixed
6.1.175
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.6.122
Fixed
6.6.140
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.12.67
Fixed
6.12.88
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.18.7
Fixed
6.18.30

Affected versions

v6.*
v6.1.162
v6.1.163
v6.1.164
v6.1.165
v6.1.166
v6.1.167
v6.1.168
v6.1.169
v6.1.170
v6.1.171
v6.1.172
v6.1.173
v6.1.174
v6.12.67
v6.12.68
v6.12.69
v6.12.70
v6.12.71
v6.12.72
v6.12.73
v6.12.74
v6.12.75
v6.12.76
v6.12.77
v6.12.78
v6.12.79
v6.12.80
v6.12.81
v6.12.82
v6.12.83
v6.12.84
v6.12.85
v6.12.86
v6.12.87
v6.18.10
v6.18.11
v6.18.12
v6.18.13
v6.18.14
v6.18.15
v6.18.16
v6.18.17
v6.18.18
v6.18.19
v6.18.20
v6.18.21
v6.18.22
v6.18.23
v6.18.24
v6.18.25
v6.18.26
v6.18.27
v6.18.28
v6.18.29
v6.18.7
v6.18.8
v6.18.9
v6.6.122
v6.6.123
v6.6.124
v6.6.125
v6.6.126
v6.6.127
v6.6.128
v6.6.129
v6.6.130
v6.6.131
v6.6.132
v6.6.133
v6.6.134
v6.6.135
v6.6.136
v6.6.137
v6.6.138
v6.6.139

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46129.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.88
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46129.json"