FKIE_CVE-2026-46107

Vulnerability from fkie_nvd - Published: 2026-05-28 10:16 - Updated: 2026-05-28 13:44
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere\u0027s a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node\u0027s child to the node itself and then decrement the\nchild\u0027s reference count.\n\nIf the child node is shared (it has reference count \u003e 1), we won\u0027t free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn\u0027t match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared."
    }
  ],
  "id": "CVE-2026-46107",
  "lastModified": "2026-05-28T13:44:01.663",
  "metrics": {},
  "published": "2026-05-28T10:16:26.063",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.