HarborGuard / CVE
Back to search
HIGHCVE-2026-46129Published Modified CNA Linux

CVE-2026-46129: btrfs: fix double free in create_space_info() error path

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A double-free memory corruption bug exists in the Linux kernel's btrfs (B-Tree File System) subsystem, specifically in the create_space_info() error-handling path. The vulnerability is reachable locally by a low-privileged user and does not require any network access or victim interaction. Successful exploitation gives an attacker full read, write, and execution control within the affected kernel context, enabling data theft, data tampering, or a complete system compromise. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream NVD and Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel modules. Any image whose kernel package version falls in the affected range is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the provided CVSS v3.1 vector and can weight that score against each customer organization's per-environment compliance policy to surface it at the right priority level. Triage findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting fix versions 6.6.140, 6.12.88, or the identified commit refs is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to reach the vulnerable code path; no administrative credentials are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker can trigger the double-free entirely through their own process without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, including stored credentials, session tokens, and other sensitive data from co-located processes.
  • The attacker writes to arbitrary kernel memory, allowing modification of persisted filesystem data, security policies, or running process state.
  • The double-free can be used to execute attacker-controlled code at kernel privilege, giving full control over the host operating system.
  • All three impact dimensions (confidentiality, integrity, availability) are rated HIGH, so the attacker can also crash the affected system entirely, causing a denial of service.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image whose kernel package version falls in the affected range, covering both upstream base images and internally built images. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at a fixed kernel version (6.6.140 or 6.12.88 depending on the active stable branch), runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the triage finding is routed to the responsible team inbox so a manual rebuild can be initiated. Until a patched image is deployed, compensating controls such as restricting local shell access to untrusted users and enforcing strict seccomp or AppArmor profiles on btrfs-backed workloads can reduce exposure.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

03f487be81292702a59ea9dbc4088b3360a50e8376.26.6.1406.12.886.18.307.0.77.1-rc19a060970fd7b5e1c561e4ce73cb9949e4269a738c2670ec4aa49ca226bce9776601e0da37502be07dd6ade0fdd59218d71a981ae7c937a304e49209cf414b3abbba59ef379a2b3c31f2bdd9358ed5e53
Affected packages
  • Linux / Linux
    < c2670ec4aa49ca226bce9776601e0da37502be07 (from 58208907c4044a764dbd8896026283905da6d9be) · < f414b3abbba59ef379a2b3c31f2bdd9358ed5e53 (from bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618) · < 9a060970fd7b5e1c561e4ce73cb9949e4269a738 (from 6cb008f1bb23e023dfe615cca5df14570dfc8da5) · < dd6ade0fdd59218d71a981ae7c937a304e49209c (from a11224a016d6d1d46a4d9b6573244448a80d4d7f) · < 3f487be81292702a59ea9dbc4088b3360a50e837 (from a11224a016d6d1d46a4d9b6573244448a80d4d7f) · 20e8f2de3688082eeafeb93c8900485b7542457e
  • Linux / Linux
    6.19
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References