{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31434", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-22T13:53:34.357Z", "dateUpdated": "2026-05-11T22:08:38.104Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:38.104Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix leak of kobject name for sub-group space_info\n\nWhen create_space_info_sub_group() allocates elements of\nspace_info->sub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj->name objects are leaked.\n\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\n\nunreferenced object 0xffff888112877d40 (size 16):\n comm \"mount\", pid 1244, jiffies 4294996972\n hex dump (first 16 bytes):\n 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......\n backtrace (crc 53ffde4d):\n __kmalloc_node_track_caller_noprof+0x619/0x870\n kstrdup+0x42/0xc0\n kobject_set_name_vargs+0x44/0x110\n kobject_init_and_add+0xcf/0x150\n btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\n create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\n create_space_info+0x211/0x320 [btrfs]\n btrfs_init_space_info+0x15a/0x1b0 [btrfs]\n open_ctree+0x33c7/0x4a50 [btrfs]\n btrfs_get_tree.cold+0x9f/0x1ee [btrfs]\n vfs_get_tree+0x87/0x2f0\n vfs_cmd_create+0xbd/0x280\n __do_sys_fsconfig+0x3df/0x990\n do_syscall_64+0x136/0x1540\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/block-group.c"], "versions": [{"version": "64c7ddda83acfbaa0efb381a1928ce908c584607", "lessThan": "416484f21a9d1280cf6daa7ebc10c79b59c46e48", "status": "affected", "versionType": "git"}, {"version": "0bd151ce4200ca847990e05cca29a76456982ca5", "lessThan": "94054ffd311a1f76b7093ba8ebf50bdb0d28337c", "status": "affected", "versionType": "git"}, {"version": "190d5a7c4fe42b8c9aa46e3336389e7cb10395bb", "lessThan": "1737ddeafbb1304f41ec2eede4f7366082e7c96a", "status": "affected", "versionType": "git"}, {"version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9", "lessThan": "3c844d01f9874a43004c82970d8da94f9aba8949", "status": "affected", "versionType": "git"}, {"version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9", "lessThan": "3c645c6f7e5470debbb81666b230056de48f36dc", "status": "affected", "versionType": "git"}, {"version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9", "lessThan": "a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/block-group.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.162", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.122", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.67", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48"}, {"url": "https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c"}, {"url": "https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a"}, {"url": "https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949"}, {"url": "https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc"}, {"url": "https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41"}], "title": "btrfs: fix leak of kobject name for sub-group space_info", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix leak of kobject name for sub-group space_info\n\nWhen create_space_info_sub_group() allocates elements of\nspace_info->sub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj->name objects are leaked.\n\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\n\nunreferenced object 0xffff888112877d40 (size 16):\n comm \"mount\", pid 1244, jiffies 4294996972\n hex dump (first 16 bytes):\n 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......\n backtrace (crc 53ffde4d):\n __kmalloc_node_track_caller_noprof+0x619/0x870\n kstrdup+0x42/0xc0\n kobject_set_name_vargs+0x44/0x110\n kobject_init_and_add+0xcf/0x150\n btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\n create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\n create_space_info+0x211/0x320 [btrfs]\n btrfs_init_space_info+0x15a/0x1b0 [btrfs]\n open_ctree+0x33c7/0x4a50 [btrfs]\n btrfs_get_tree.cold+0x9f/0x1ee [btrfs]\n vfs_get_tree+0x87/0x2f0\n vfs_cmd_create+0xbd/0x280\n __do_sys_fsconfig+0x3df/0x990\n do_syscall_64+0x136/0x1540\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements."}], "id": "CVE-2026-31434", "lastModified": "2026-04-23T16:17:41.280", "metrics": {}, "published": "2026-04-22T14:16:36.533", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: btrfs: fix leak of kobject name for sub-group space_info", "id": "2460728", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460728"}, "csaw": false, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's btrfs filesystem. When sub-groups for space information are created, associated kobject names are allocated. However, these names are not properly released when the sub-groups are removed, leading to a memory leak. A local user could exploit this vulnerability by repeatedly triggering the allocation and removal of these sub-groups, potentially causing system resource exhaustion and a denial of service."], "name": "CVE-2026-31434", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31434\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31434\nhttps://lore.kernel.org/linux-cve-announce/2026042240-CVE-2026-31434-87f3@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[64c7ddda83acfbaa0efb381a1928ce908c584607,416484f21a9d1280cf6daa7ebc10c79b59c46e48)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0bd151ce4200ca847990e05cca29a76456982ca5,94054ffd311a1f76b7093ba8ebf50bdb0d28337c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[190d5a7c4fe42b8c9aa46e3336389e7cb10395bb,1737ddeafbb1304f41ec2eede4f7366082e7c96a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f92ee31e031c7819126d2febdda0c3e91f5d2eb9,3c844d01f9874a43004c82970d8da94f9aba8949)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f92ee31e031c7819126d2febdda0c3e91f5d2eb9,3c645c6f7e5470debbb81666b230056de48f36dc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f92ee31e031c7819126d2febdda0c3e91f5d2eb9,a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T01:54:04.227294+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the patch removing the missing btrfs_sysfs_remove_space_info() call (commits 1737ddeafbb1304f41ec2eede4f7366082e7c96a and related updates).", "If upgrading immediately is not possible, disable the Btrfs filesystem or unmount it when it is not required to reduce memory usage from the space_info entries.", "Monitor kernel memory usage and consider enforcing stricter limits or using low\u2011memory killer settings to mitigate the effects of a potential leak."], "summary": {"action": "Patch Kernel", "impact": "Memory Leak Leading to Potential Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel deployments that include the Btrfs filesystem and expose the space_info structure are affected, regardless of distribution. The leak can manifest in any kernel version prior to the patch commit referenced in the advisory. Systems built with the CONFIG_DEBUG_KMEMLEAK option are especially useful for detecting the leak, but dynamic memory pressure can occur in normal operation as well.", "description_and_impact": "The vulnerability arises in the Linux kernel\u2019s Btrfs filesystem when creating space_info sub\u2011groups. The code fails to remove the kobject name entries on deallocation, which leaks name strings. This is a CWE\u2011911 weakness involving inadequate deallocation of name objects. The leak is manifested as orphaned memory that can accumulate over time and potentially exhaust kernel memory.", "risk_and_exploitability": "The advisory does not provide a CVSS score. The EPSS score is < 1%, indicating a very low chance of active exploitation. The vulnerability is not in CISA\u2019s KEV catalog. The leak can accumulate as many space_info objects are created, which may occur during normal Btrfs operation or specific workloads that heavily use the space_info structure. No public exploitation has been documented, but the potential for memory exhaustion remains."}}}}, "created": "2026-04-22T15:30:20.459958+00:00", "updated": "2026-04-29T02:00:27.258472+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}