FKIE_CVE-2026-46196

Vulnerability from fkie_nvd - Published: 2026-05-28 10:16 - Updated: 2026-05-28 13:44
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them. For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state. Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()\n\nWhen a tracepoint goes through the 0 -\u003e 1 transition, tracepoint_add_func()\ninvokes the subsystem\u0027s ext-\u003eregfunc() before attempting to install the\nnew probe via func_add(). If func_add() then fails (for example, when\nallocate_probes() cannot allocate a new probe array under memory pressure\nand returns -ENOMEM), the function returns the error without calling the\nmatching ext-\u003eunregfunc(), leaving the side effects of regfunc() behind\nwith no installed probe to justify them.\n\nFor syscall tracepoints this is particularly unpleasant: syscall_regfunc()\nbumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.\nAfter a leaked failure, the refcount is stuck at a non-zero value with no\nconsumer, and every task continues paying the syscall trace entry/exit\noverhead until reboot. Other subsystems providing regfunc()/unregfunc()\npairs exhibit similarly scoped persistent state.\n\nMirror the existing 1 -\u003e 0 cleanup and call ext-\u003eunregfunc() in the\nfunc_add() error path, gated on the same condition used there so the\nunwind is symmetric with the registration."
    }
  ],
  "id": "CVE-2026-46196",
  "lastModified": "2026-05-28T13:44:01.663",
  "metrics": {},
  "published": "2026-05-28T10:16:35.253",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.