GHSA-C6HR-V224-3W2W

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dm-thin: fix metadata refcount underflow

There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.

If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors.

Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-46107"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:26Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere\u0027s a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node\u0027s child to the node itself and then decrement the\nchild\u0027s reference count.\n\nIf the child node is shared (it has reference count \u003e 1), we won\u0027t free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn\u0027t match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared.",
  "id": "GHSA-c6hr-v224-3w2w",
  "modified": "2026-05-28T12:30:28Z",
  "published": "2026-05-28T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46107"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.