In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free in createspaceinfosubgroup() error path
When kobjectinitand_add() fails, the call chain is:
createspaceinfosubgroup() -> btrfssysfsaddspaceinfotype() -> kobjectinitandadd() -> failure -> kobjectput(&subgroup->kobj) -> spaceinforelease() -> kfree(sub_group)
Then control returns to createspaceinfosubgroup(), where:
btrfssysfsaddspaceinfotype() returns error -> kfree(subgroup)
Thus, sub_group is freed twice.
Keep parent->subgroup[index] = NULL for the failure path, but after btrfssysfsaddspaceinfotype() has called kobject_put(), let the kobject release callback handle the cleanup.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46164.json",
"cna_assigner": "Linux"
}