CVE-2026-46107 - Vulnerability Details

- dm-thin: fix metadata refcount underflow

Description

In the Linux kernel, the following vulnerability has been resolved:

dm-thin: fix metadata refcount underflow

There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.

If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.

Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.

Published: 2026-05-28

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A reference count underflow bug in the Linux kernel’s dm-thin subsystem can cause the engine to decrement child node reference counts incorrectly while rebalance_children is executed. The result is an inconsistency between the number of pointers to grandchildren nodes and their internal reference counts, leading to kernel errors such as “device mapper: space map common: unable to decrement block”. This flaw can cause the device‑mapper driver to malfunction, potentially leading to data corruption or service disruption for any thin‑provisioned storage device.

Affected Systems

The defect is present in the Linux kernel’s device‑mapper thin provisioning component. No specific affected kernel release identifiers are supplied, so the version range that implements the bug is unknown. Systems running a kernel version that includes an unpatched dm-thin implementation are at risk.

Risk and Exploitability

No CVSS score is provided and the EPSS score is unavailable, but the issue is listed as not in the CISA KEV catalog. The exploitability is inferred to be local or requires that an attacker can influence thin‑provisioned volumes, which may be possible for privileged users or operating systems that allow the creation or modification of device‑mapper devices. Because the flaw results in a driver error and potential service interruption, the primary risk is denial of service rather than data exfiltration or privilege escalation. The likelihood of widespread exploitation is uncertain, but the impact can be significant for affected workloads with thin‑provisioned storage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3241b1d3e0aaafbfcd320f4d71ade629728cc4f4`	affected	< 12161e03d33afce781f68fa11cc6060538862fad
`3241b1d3e0aaafbfcd320f4d71ade629728cc4f4`	affected	< 323d252a4a378834e4fe68298ca61cfc5dd3a460
`3241b1d3e0aaafbfcd320f4d71ade629728cc4f4`	affected	< 85311a585a26640760cd0f3349ab9f2905691044
`3241b1d3e0aaafbfcd320f4d71ade629728cc4f4`	affected	< 5ec0debbcfd43596e32c1239e993de06a704e04c
`3241b1d3e0aaafbfcd320f4d71ade629728cc4f4`	affected	< 09a65adc7d8bbfce06392cb6d375468e2728ead5

Linux

affected

Version	Status	Constraints
`3.2`	affected	—
`0`	unaffected	< 3.2
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc2`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3241b1d3e0aaafbfcd320f4d71ade629728cc4f4,12161e03d33afce781f68fa11cc6060538862fad)`	affected	code_commit	—
`[3241b1d3e0aaafbfcd320f4d71ade629728cc4f4,323d252a4a378834e4fe68298ca61cfc5dd3a460)`	affected	code_commit	—
`[3241b1d3e0aaafbfcd320f4d71ade629728cc4f4,85311a585a26640760cd0f3349ab9f2905691044)`	affected	code_commit	—
`[3241b1d3e0aaafbfcd320f4d71ade629728cc4f4,5ec0debbcfd43596e32c1239e993de06a704e04c)`	affected	code_commit	—
`[3241b1d3e0aaafbfcd320f4d71ade629728cc4f4,09a65adc7d8bbfce06392cb6d375468e2728ead5)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.2`	affected	generic	—
`[0,3.2)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc2,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version containing the dm-thin refcount underflow fix (see the commit references provided).
If a kernel upgrade cannot be performed immediately, disable thin provisioning or remove dm-thin devices to prevent the fault from affecting the system.
Continuously monitor kernel logs for the message “device mapper: space map common: unable to decrement block” to detect any accidental or delayed exploitation.

Generated by OpenCVE AI on May 28, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5
https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad
https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460
https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c
https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044

History

Thu, 28 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-612

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.
Title		dm-thin: fix metadata refcount underflow
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5 https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460 https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:13.051Z

Updated: 2026-05-28T09:35:13.051Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46107

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T10:16:26.063

Modified: 2026-05-28T10:16:26.063

Link: CVE-2026-46107

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T12:00:12Z

Weaknesses

CWE-612

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object