{ "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: btrfs: fix leak of kobject name for sub-group space_info", "id" : "2460728", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460728" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: fix leak of kobject name for sub-group space_info\nWhen create_space_info_sub_group() allocates elements of\nspace_info->sub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj->name objects are leaked.\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\nunreferenced object 0xffff888112877d40 (size 16):\ncomm \"mount\", pid 1244, jiffies 4294996972\nhex dump (first 16 bytes):\n64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......\nbacktrace (crc 53ffde4d):\n__kmalloc_node_track_caller_noprof+0x619/0x870\nkstrdup+0x42/0xc0\nkobject_set_name_vargs+0x44/0x110\nkobject_init_and_add+0xcf/0x150\nbtrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\ncreate_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\ncreate_space_info+0x211/0x320 [btrfs]\nbtrfs_init_space_info+0x15a/0x1b0 [btrfs]\nopen_ctree+0x33c7/0x4a50 [btrfs]\nbtrfs_get_tree.cold+0x9f/0x1ee [btrfs]\nvfs_get_tree+0x87/0x2f0\nvfs_cmd_create+0xbd/0x280\n__do_sys_fsconfig+0x3df/0x990\ndo_syscall_64+0x136/0x1540\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements.", "A flaw was found in the Linux kernel's btrfs filesystem. When sub-groups for space information are created, associated kobject names are allocated. However, these names are not properly released when the sub-groups are removed, leading to a memory leak. A local user could exploit this vulnerability by repeatedly triggering the allocation and removal of these sub-groups, potentially causing system resource exhaustion and a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31434\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31434\nhttps://lore.kernel.org/linux-cve-announce/2026042240-CVE-2026-31434-87f3@gregkh/T" ], "name" : "CVE-2026-31434", "csaw" : false }