CVE-2026-46159 Overview
CVE-2026-46159 is a time-of-check time-of-use (TOCTOU) race condition in the Linux kernel's btrfs filesystem ioctl handler. The flaw resides in btrfs_ioctl_space_info(), which performs two passes over block group RAID type lists separated by a release of the groups_sem rwlock. Concurrent block group removal between passes can shrink the entry count, causing copy_to_user() to leak uninitialized kmalloc heap bytes to userspace. The issue was resolved upstream by copying only the actual filled entry count and switching the buffer allocation to kzalloc.
Critical Impact
Local users can trigger an information leak that exposes uninitialized kernel heap memory, potentially aiding further kernel exploitation by disclosing pointers or sensitive data.
Affected Products
- Linux kernel (btrfs filesystem subsystem)
- Distributions shipping affected stable kernel branches prior to the fix commits
- Systems where btrfs is mounted and accessible to local unprivileged users
Discovery Timeline
- 2026-05-28 - CVE-2026-46159 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46159
Vulnerability Analysis
The btrfs_ioctl_space_info() function services the BTRFS_IOC_SPACE_INFO ioctl, which reports per-RAID-type space usage to userspace. The handler operates in two passes. The first pass walks the block group lists under groups_sem to count entries, then drops the lock and allocates an output buffer sized to that count. The second pass re-acquires the lock and fills the buffer with current entries.
Between the two passes, the lock is released. A concurrent block group removal during this window reduces the number of entries available in the second pass. The handler then calls copy_to_user() using the original alloc_size, which is larger than the actually-filled total_spaces count. The trailing bytes contain uninitialized memory returned by kmalloc, leaking kernel heap contents to userspace.
Root Cause
The root cause is a classic TOCTOU pattern combined with use of kmalloc for a buffer subsequently copied in full to userspace. The size used for the user copy reflects the first-pass count rather than the second-pass fill count. The dropped groups_sem rwlock breaks the invariant that the count and the fill remain consistent.
Attack Vector
A local attacker with permission to issue the BTRFS_IOC_SPACE_INFO ioctl on a btrfs mount races the ioctl against block group removal operations such as those triggered by balance, device removal, or empty block group cleanup. Successful races disclose uninitialized slab memory, which may contain residual pointers, cryptographic material, or other kernel data useful for bypassing KASLR or staging further exploitation.
No verified public exploit code is available. The vulnerability mechanism is described in the upstream commit messages referenced in the patch information below.
Detection Methods for CVE-2026-46159
Indicators of Compromise
- Unexpected BTRFS_IOC_SPACE_INFO ioctl invocations from unprivileged processes correlated with concurrent btrfs balance, device removal, or block group cleanup activity.
- High-frequency repeated BTRFS_IOC_SPACE_INFO calls from a single process, indicative of race-window exploitation attempts.
Detection Strategies
- Audit kernel version and patch level on all Linux hosts running btrfs to identify systems missing the upstream fix commits.
- Enable Linux audit rules for ioctl syscalls targeting btrfs filesystems and review for anomalous user-to-kernel patterns.
- Use eBPF-based telemetry to record process, UID, and ioctl command pairs for forensic correlation.
Monitoring Recommendations
- Monitor for processes that hold btrfs file descriptors and issue space_info ioctls at high cadence.
- Alert on unprivileged users triggering btrfs maintenance operations or rapid repeated space queries.
- Track kernel package versions in the asset inventory and flag hosts on vulnerable stable branches.
How to Mitigate CVE-2026-46159
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that incorporates the upstream btrfs fix.
- Restrict local shell access on systems where btrfs is mounted, particularly multi-tenant hosts.
- Verify backups before performing kernel upgrades on btrfs-backed systems.
Patch Information
The fix copies only total_spaces entries from the second pass to userspace and switches the buffer allocation to kzalloc so any future size mismatch cannot leak heap data. Upstream fix commits are available in the kernel.org stable tree: 4fdc6ee0, 5d12e0ab, 973e57c7, d09d67d5, and f5ee467b.
Workarounds
- Limit local user access to systems with btrfs filesystems mounted until the kernel patch is applied.
- Where feasible, restrict access to btrfs mount points using filesystem permissions or namespace isolation to reduce exposure to the ioctl interface.
- Use mandatory access controls such as SELinux or AppArmor profiles to constrain which processes may issue ioctls on btrfs file descriptors.
# Verify the running kernel version and compare against patched stable releases
uname -r
# Identify btrfs mounts on the host
findmnt -t btrfs
# Example SELinux check to confirm enforcement on btrfs-relevant domains
getenforce
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
