CVE-2026-31434

EUVD-2026-24757

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix leak of kobject name for sub-group space_info

When create_space_info_sub_group() allocates elements of
space_info->sub_group[], kobject_init_and_add() is called for each
element via btrfs_sysfs_add_space_info_type(). However, when
check_removing_space_info() frees these elements, it does not call
btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is
not called and the associated kobj->name objects are leaked.

This memory leak is reproduced by running the blktests test case
zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak
feature reports the following error:

unreferenced object 0xffff888112877d40 (size 16):
  comm "mount", pid 1244, jiffies 4294996972
  hex dump (first 16 bytes):
    64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f  data-reloc......
  backtrace (crc 53ffde4d):
    __kmalloc_node_track_caller_noprof+0x619/0x870
    kstrdup+0x42/0xc0
    kobject_set_name_vargs+0x44/0x110
    kobject_init_and_add+0xcf/0x150
    btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]
    create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]
    create_space_info+0x211/0x320 [btrfs]
    btrfs_init_space_info+0x15a/0x1b0 [btrfs]
    open_ctree+0x33c7/0x4a50 [btrfs]
    btrfs_get_tree.cold+0x9f/0x1ee [btrfs]
    vfs_get_tree+0x87/0x2f0
    vfs_cmd_create+0xbd/0x280
    __do_sys_fsconfig+0x3df/0x990
    do_syscall_64+0x136/0x1540
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

To avoid the leak, call btrfs_sysfs_remove_space_info() instead of
kfree() for the elements.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-1 fixed
forky	6.19.11-1 fixed
sid	6.19.13-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

References

https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a

https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc

https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949

https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48

https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c

https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41