Description
In the Linux kernel, the following vulnerability has been resolved:

tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()

When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()
invokes the subsystem's ext->regfunc() before attempting to install the
new probe via func_add(). If func_add() then fails (for example, when
allocate_probes() cannot allocate a new probe array under memory pressure
and returns -ENOMEM), the function returns the error without calling the
matching ext->unregfunc(), leaving the side effects of regfunc() behind
with no installed probe to justify them.

For syscall tracepoints this is particularly unpleasant: syscall_regfunc()
bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.
After a leaked failure, the refcount is stuck at a non-zero value with no
consumer, and every task continues paying the syscall trace entry/exit
overhead until reboot. Other subsystems providing regfunc()/unregfunc()
pairs exhibit similarly scoped persistent state.

Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the
func_add() error path, gated on the same condition used there so the
unwind is symmetric with the registration.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the vulnerability occurs when a tracepoint goes from the unregistered to the registered state; the subsystem’s registration function runs, but the probe installation fails, leaving the cleanup function uninvoked. This omission causes reference counts for syscall tracepoints to remain elevated, so every task continues to pay the overhead of trace entry and exit, which in turn can degrade system performance into a denial of service if the issue repeats. The missing unregistration is a classic CWE‑459 weakness, representing failure to release resources in all execution paths.

Affected Systems

All Linux kernel releases that include the buggy tracepoint_add_func implementation are affected until the patch is applied. No specific sub‑version list is provided, so the vulnerability applies to all current Linux kernels that have not yet incorporated the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability has not been listed in the CISA KEV catalog. Exploitation requires causing a probe allocation failure, typically by inducing memory pressure or otherwise triggering allocation errors, so the likely attack vector is local kernel interaction or sustained resource exhaustion. If successful, the unbalanced reference counts can lead to a system‑wide denial of service.

Generated by OpenCVE AI on June 10, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the tracepoint_add_func patch
  • Disable or reduce the use of unnecessary syscall tracepoints to lower overhead and limit the opportunity for the flaw to manifest
  • Reboot the system to clear any lingering reference counts and activate the patched kernel code

Generated by OpenCVE AI on June 10, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Fri, 29 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them. For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state. Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.
Title tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:01:54.236Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46196

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:35.253

Modified: 2026-06-10T19:18:27.070

Link: CVE-2026-46196

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46196 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses