CVE-2026-31434

EUVD-2026-24757

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix leak of kobject name for sub-group space_info

When create_space_info_sub_group() allocates elements of
space_info->sub_group[], kobject_init_and_add() is called for each
element via btrfs_sysfs_add_space_info_type(). However, when
check_removing_space_info() frees these elements, it does not call
btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is
not called and the associated kobj->name objects are leaked.

This memory leak is reproduced by running the blktests test case
zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak
feature reports the following error:

unreferenced object 0xffff888112877d40 (size 16):
  comm "mount", pid 1244, jiffies 4294996972
  hex dump (first 16 bytes):
    64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f  data-reloc......
  backtrace (crc 53ffde4d):
    __kmalloc_node_track_caller_noprof+0x619/0x870
    kstrdup+0x42/0xc0
    kobject_set_name_vargs+0x44/0x110
    kobject_init_and_add+0xcf/0x150
    btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]
    create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]
    create_space_info+0x211/0x320 [btrfs]
    btrfs_init_space_info+0x15a/0x1b0 [btrfs]
    open_ctree+0x33c7/0x4a50 [btrfs]
    btrfs_get_tree.cold+0x9f/0x1ee [btrfs]
    vfs_get_tree+0x87/0x2f0
    vfs_cmd_create+0xbd/0x280
    __do_sys_fsconfig+0x3df/0x990
    do_syscall_64+0x136/0x1540
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

To avoid the leak, call btrfs_sysfs_remove_space_info() instead of
kfree() for the elements.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.1.162 ≤ 𝑥 < 6.1.168
linux	linux_kernel	6.6.122 ≤ 𝑥 < 6.6.131
linux	linux_kernel	6.12.67 ≤ 𝑥 < 6.12.80
linux	linux_kernel	6.16 ≤ 𝑥 < 6.18.21
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.11
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.10-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

Common Weakness Enumeration

CWE-401 - Missing Release of Memory after Effective Lifetime
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, andere nicht näher spezifizierte Auswirkungen zu verursachen und möglicherweise Code auszuführen.
Published: 2026-04-22T22:00:00+00:00

References

https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a

https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc

https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949

https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48

https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c

https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41