CVE-2026-46164

Source
https://cve.org/CVERecord?id=CVE-2026-46164
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46164.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46164
Downstream
Related
Published
2026-05-28T09:36:19.810Z
Modified
2026-07-08T08:13:41.721264092Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
btrfs: fix double free in create_space_info_sub_group() error path
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in createspaceinfosubgroup() error path

When kobjectinitand_add() fails, the call chain is:

createspaceinfosubgroup() -> btrfssysfsaddspaceinfotype() -> kobjectinitandadd() -> failure -> kobjectput(&subgroup->kobj) -> spaceinforelease() -> kfree(sub_group)

Then control returns to createspaceinfosubgroup(), where:

btrfssysfsaddspaceinfotype() returns error -> kfree(subgroup)

Thus, sub_group is freed twice.

Keep parent->subgroup[index] = NULL for the failure path, but after btrfssysfsaddspaceinfotype() has called kobject_put(), let the kobject release callback handle the cleanup.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46164.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
64c7ddda83acfbaa0efb381a1928ce908c584607
Fixed
c2d59527cba6d59f0d77a75c1101ab4e69758bea
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0bd151ce4200ca847990e05cca29a76456982ca5
Fixed
d2a675f2e238ec96c8e91e2718c1f910c9c8fb21
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
190d5a7c4fe42b8c9aa46e3336389e7cb10395bb
Fixed
14b22be1dd844383eb03af9b1ee3b6b25d32aeaf
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f92ee31e031c7819126d2febdda0c3e91f5d2eb9
Fixed
dfd05a16b5c9d1d98b47905f37f2fccda52173d1
Fixed
259af6857a1b4f1e9ef8b780353f9d11c26a22bd
Fixed
a7449edf96143f192606ec8647e3167e1ecbd728
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.1.162
Fixed
6.1.176
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.6.122
Fixed
6.6.141
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.12.67
Fixed
6.12.90

Affected versions

v6.*
v6.1.162
v6.1.163
v6.1.164
v6.1.165
v6.1.166
v6.1.167
v6.1.168
v6.1.169
v6.1.170
v6.1.171
v6.1.172
v6.1.173
v6.1.174
v6.1.175
v6.12.67
v6.12.68
v6.12.69
v6.12.70
v6.12.71
v6.12.72
v6.12.73
v6.12.74
v6.12.75
v6.12.76
v6.12.77
v6.12.78
v6.12.79
v6.12.80
v6.12.81
v6.12.82
v6.12.83
v6.12.84
v6.12.85
v6.12.86
v6.12.87
v6.12.88
v6.12.89
v6.6.122
v6.6.123
v6.6.124
v6.6.125
v6.6.126
v6.6.127
v6.6.128
v6.6.129
v6.6.130
v6.6.131
v6.6.132
v6.6.133
v6.6.134
v6.6.135
v6.6.136
v6.6.137
v6.6.138
v6.6.139
v6.6.140

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46164.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.90
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.32
Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46164.json"