In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix double free in create_space_info() error path
When kobject_init_and_add() fails, the call chain is:
create_space_info()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&space_info->kobj)
-> space_info_release()
-> kfree(space_info)
Then control returns to create_space_info():
btrfs_sysfs_add_space_info_type() returns error
-> goto out_free
-> kfree(space_info)
This causes a double free.
Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.
| Score | Percentile |
|---|---|
| 0.14% | 3.56% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-4m7v-4fw7-9hch ↗ |
| CVE | CVE-2026-46129 ↗ |
| CWE id | Name |
|---|---|
| CWE-415 | Double Free |