HarborGuard / CVE
Back to search
HIGHCVE-2026-46164Published Modified CNA Linux

CVE-2026-46164: btrfs: fix double free in create_space_info_sub_group() error path

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A double-free vulnerability exists in the Linux kernel's btrfs filesystem driver, specifically in the create_space_info_sub_group() error-handling path. The bug is reachable locally and requires a user to trigger the relevant code path, with exploitation complicated by environmental timing factors; successful exploitation gives an attacker full read, write, and crash capability over the affected system. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46164 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel modules.

Available
Triage

Triage capability is available with the CVSS v3.1 score of 7.0 (HIGH), weighted further against each customer environment's compliance policy; findings are routed to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

A patched-image rebuild targeting fix versions 6.6.141 and 6.2 (and the corresponding upstream commits) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationNot required

    No authentication or existing account is required to trigger the vulnerable code path.

  • Victim interactionRequired

    A local user must take some action (such as mounting or interacting with a btrfs filesystem) to trigger the error path that causes the double free.

  • Attack complexityDetail

    Exploitation depends on race conditions or specific memory layout conditions at the time of the error path, making reliable exploitation non-trivial.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, exposing stored credentials, session tokens, and other sensitive data.
  • Controlled writes to freed kernel memory allow the attacker to overwrite kernel data structures, modifying persisted filesystem state or privileged process context.
  • Triggering the double free can crash the kernel entirely, taking down all workloads running on the affected host.
  • Kernel-level code execution is achievable by shaping heap layout to control the reuse of the freed sub_group allocation.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing an affected Linux kernel version, covering both upstream base images and internally built images. Where compliance policy permits, a patched-image rebuild at kernel 6.6.141 or 6.2 (or the pinned upstream commits) is made available automatically; for customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for HIGH-severity issues is around 90 minutes, covering the full rebuild, regression run, and PR opened against affected workloads. Customers not yet on a fix version can apply compensating controls in the interim: restrict btrfs mount privileges to trusted users via Linux capability policies, apply network-policy isolation to limit lateral movement if the kernel is compromised, and consider disabling btrfs subgroup sysfs exposure where feature-flag gating is available in your environment.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

014b22be1dd844383eb03af9b1ee3b6b25d32aeaf259af6857a1b4f1e9ef8b780353f9d11c26a22bd6.26.6.1416.12.906.18.327.0.77.1-rc1a7449edf96143f192606ec8647e3167e1ecbd728d2a675f2e238ec96c8e91e2718c1f910c9c8fb21dfd05a16b5c9d1d98b47905f37f2fccda52173d1
Affected packages
  • Linux / Linux
    < d2a675f2e238ec96c8e91e2718c1f910c9c8fb21 (from 0bd151ce4200ca847990e05cca29a76456982ca5) · < 14b22be1dd844383eb03af9b1ee3b6b25d32aeaf (from 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb) · < dfd05a16b5c9d1d98b47905f37f2fccda52173d1 (from f92ee31e031c7819126d2febdda0c3e91f5d2eb9) · < 259af6857a1b4f1e9ef8b780353f9d11c26a22bd (from f92ee31e031c7819126d2febdda0c3e91f5d2eb9) · < a7449edf96143f192606ec8647e3167e1ecbd728 (from f92ee31e031c7819126d2febdda0c3e91f5d2eb9) · 64c7ddda83acfbaa0efb381a1928ce908c584607
  • Linux / Linux
    6.16
    Fixed in 0, 6.6.141, 6.12.90, 6.18.32, 7.0.7, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References