CVE-2026-46159

Source
https://cve.org/CVERecord?id=CVE-2026-46159
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46159.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46159
Downstream
Related
Published
2026-05-28T09:36:14.676Z
Modified
2026-07-09T18:30:39.167284630Z
Summary
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix btrfsioctlspaceinfo() slotcount TOCTOU which can lead to info-leak

btrfsioctlspaceinfo() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groupssem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.

When the second pass fills fewer entries than the first pass counted, copytouser() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.

Fix by copying only totalspaces entries (the actually-filled count from the second pass) instead of allocsize bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46159.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7fde62bffb576d384ea49a3aed3403d5609ee5bc
Fixed
f407aad350bdea4db300c47433573b7a41630d33
Fixed
d8224b1be6627c6c3b204bfb264508d27c65ac44
Fixed
d69a4a6813fdba7c4cc3695a7e843842b240790d
Fixed
f5ee467b56764964027c361641f64953fc0f8f9a
Fixed
4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3
Fixed
5d12e0ab009ade48c1bff9324fd9bea2c773d088
Fixed
d09d67d5de577cedae3de9497dff217e0ac8b641
Fixed
973e57c726c1f8e77259d1c8e519519f1e9aea77

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46159.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.34
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.90
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.32
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46159.json"