CVE-2026-31434
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix leak of kobject name for sub-group space_info When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked. This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error: unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.170-1 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.19.11-1 |
| debian | sid | fixed | 6.19.11-1 |
| debian | trixie | fixed | 6.12.85-1 |
| linux-kernel | affected | 6.1.168 | |
| linux-kernel | 7.0 | affected | |
References
- https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a
- https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc
- https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949
- https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48
- https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c
- https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41
- https://www.suse.com/security/cve/CVE-2026-31434.html
- https://security-tracker.debian.org/tracker/CVE-2026-31434
CWEs
CWE-401
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.