{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46159","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.102Z","datePublished":"2026-05-28T09:36:14.676Z","dateUpdated":"2026-06-19T11:59:41.263Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-19T11:59:41.263Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/ioctl.c"],"versions":[{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"f407aad350bdea4db300c47433573b7a41630d33","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"d8224b1be6627c6c3b204bfb264508d27c65ac44","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"d69a4a6813fdba7c4cc3695a7e843842b240790d","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"f5ee467b56764964027c361641f64953fc0f8f9a","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"5d12e0ab009ade48c1bff9324fd9bea2c773d088","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"d09d67d5de577cedae3de9497dff217e0ac8b641","status":"affected","versionType":"git"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"973e57c726c1f8e77259d1c8e519519f1e9aea77","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/ioctl.c"],"versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.90","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.32","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.12.90"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.18.32"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f407aad350bdea4db300c47433573b7a41630d33"},{"url":"https://git.kernel.org/stable/c/d8224b1be6627c6c3b204bfb264508d27c65ac44"},{"url":"https://git.kernel.org/stable/c/d69a4a6813fdba7c4cc3695a7e843842b240790d"},{"url":"https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a"},{"url":"https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3"},{"url":"https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088"},{"url":"https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641"},{"url":"https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77"}],"title":"btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak","x_generator":{"engine":"bippy-1.2.0"}}}}