In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free in createspaceinfo() error path
When kobjectinitand_add() fails, the call chain is:
createspaceinfo() -> btrfssysfsaddspaceinfotype() -> kobjectinitandadd() -> failure -> kobjectput(&spaceinfo->kobj) -> spaceinforelease() -> kfree(space_info)
Then control returns to createspaceinfo():
btrfssysfsaddspaceinfotype() returns error -> goto outfree -> kfree(space_info)
This causes a double free.
Keep the direct kfree(spaceinfo) for the earlier failure path, but after btrfssysfsaddspaceinfotype() has called kobject_put(), let the kobject release callback handle the cleanup.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46129.json",
"cna_assigner": "Linux"
}