Description
In the Linux kernel, the following vulnerability has been resolved:

dm-thin: fix metadata refcount underflow

There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.

If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.

Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s dm‑thin subsystem contains a reference‑count underflow flaw in the rebalance_children function (CWE‑911). When an internal btree node has a single entry, the code copies all child entries into the node and then decrements the child’s reference count. If that child node is shared, the decrement leaves the grandchild nodes referenced by two pointers without a matching reference count, leading to the error message ‘device mapper: space map common: unable to decrement block’ and an internal consistency issue.

Affected Systems

Affecting all Linux kernel implementations that include the unpatched dm‑thin code, this issue could potentially appear in any kernel version that has the described logic. No specific release version was cited, so security teams should treat all in‑maintenance kernels containing the dm‑thin module before the fix commit as potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates higher severity. The EPSS score of <1% and absence from CISA KEV suggest low exploitation likelihood. The source information does not convey the required attack vector or prerequisites, so no definitive assessment of exploitation feasibility can be made beyond the provided scores.

Generated by OpenCVE AI on May 30, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the dm‑thin refcount underflow fix (refer to the commit references provided).
  • If a kernel upgrade cannot be performed, disable thin provisioning or delete existing dm‑thin devices to prevent the fault condition from occurring.
  • Continuously monitor kernel logs for the error message ‘device mapper: space map common: unable to decrement block’ to detect any occurrences of the flaw.

Generated by OpenCVE AI on May 30, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-612

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-612

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.
Title dm-thin: fix metadata refcount underflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:54:57.856Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46107

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:26.063

Modified: 2026-06-01T17:17:24.353

Link: CVE-2026-46107

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46107 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:45:23Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count