Bug 2482527 (CVE-2026-46159) - CVE-2026-46159 kernel: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Summary: CVE-2026-46159 kernel: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU ...
Keywords:
Status: NEW
Alias: CVE-2026-46159
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 11:01 UTC by OSIDB Bzimport
Modified: 2026-05-28 15:50 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 11:01:43 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak

btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the allocation size, then the second pass fills the buffer. The
groups_sem rwlock is released between passes, allowing concurrent block
group removal to reduce the entry count.

When the second pass fills fewer entries than the first pass counted,
copy_to_user() copies the full alloc_size bytes including trailing
uninitialized kmalloc bytes to userspace.

Fix by copying only total_spaces entries (the actually-filled count from
the second pass) instead of alloc_size bytes, and switch to kzalloc so
any future copy size mismatch cannot leak heap data.
Comment 1 Keith Grant 2026-05-28 15:47:12 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052824-CVE-2026-46159-2689@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.