CVE-2026-46107
A bug in the Linux kernel's device mapper thin provisioning layer can cause reference counting errors when managing shared metadata trees. When the kernel tries to reorganize a btree node that has been shared across multiple data structures, it fails to properly track pointers to child nodes, leading to crashes and data unavailability. The flaw occurs specifically in the rebalance_children function during metadata tree operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-191
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-25
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46107 is a reference count underflow vulnerability in dm-thin's btree rebalancing logic. When rebalance_children consolidates entries from a shared child node into its parent, the code increments only the parent's reference count while failing to increment reference counts for grandchild nodes that now have multiple pointers. This creates a mismatch between logical pointers and reference counts, eventually triggering 'unable to decrement block' errors in the space map common code when the system attempts to free supposedly unused blocks. The root cause is incomplete bookkeeping during tree restructuring when shared nodes are involved.
Business impact
Systems running affected Linux kernels with dm-thin provisioning active may experience unexpected service interruptions. Storage-backed containers, virtual machines, or thin-provisioned volumes can become inaccessible when metadata corruption triggers the reference counting error. Organizations relying on thin provisioning for storage efficiency face potential data unavailability and require immediate patching to restore stability. Database servers, container platforms, and cloud infrastructure using dm-thin are at direct risk.
Affected systems
This vulnerability affects the Linux kernel across distributions that include dm-thin in their standard or optional configurations. Any system using Linux kernel thin provisioning (common in containerized environments, KVM/QEMU hypervisors, and enterprise storage) is potentially vulnerable. The flaw is in core kernel code, making it relevant to production servers, cloud platforms, and virtualization hosts. Verify your kernel version and whether dm-thin modules are loaded or compiled in.
Exploitability
Exploitation requires local access and the ability to trigger btree rebalancing operations on shared thin provisioning metadata. An unprivileged local user with access to the system can indirectly cause the condition through normal thin volume operations. No network vector exists; this is strictly a local privilege boundary crossing. The bug manifests during routine metadata management rather than requiring sophisticated attack techniques, making it a practical risk in multi-tenant or shared-access environments.
Remediation
Apply kernel updates that include the fix incrementing reference counts on grandchild nodes during shared btree rebalancing. Coordinate with your Linux distributor to obtain patched kernel versions for your specific release. In interim periods, consider disabling thin provisioning if feasible or restricting local user access. Test patched kernels in non-production environments before production deployment to ensure storage stability.
Patch guidance
Check your Linux distribution's security advisories for kernel updates addressing CVE-2026-46107. The fix is in the dm-thin rebalance_children function; verify patch notes confirm this specific address. Apply updates during a scheduled maintenance window given the storage-critical nature of this code path. Reboot systems after applying kernel updates to activate the fix. Coordinate with container orchestration and virtualization teams if your infrastructure depends on thin provisioning.
Detection guidance
Monitor kernel logs for repeated 'device mapper: space map common: unable to decrement block' errors, which signal the reference counting mismatch. Systems exhibiting these messages should be prioritized for patching. Check running kernel version via `uname -r` and cross-reference against your distributor's vulnerability bulletins. If dm-thin is in use, validate kernel patch status as part of vulnerability scanning. Virtualization and container hosts should be flagged for immediate assessment.
Why prioritize this
Despite not being on the KEV catalog, this vulnerability merits urgent attention due to its impact on infrastructure stability. The HIGH CVSS score (7.8) reflects privilege escalation potential and complete system compromise. Local exploitability combined with widespread dm-thin deployment in cloud and containerized environments elevates practical risk. Production outages from storage metadata corruption justify treating this as priority-1 in environments using thin provisioning.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects attack vector local, low complexity, low privilege requirements, and high impact across confidentiality, integrity, and availability. The bug enables local privilege escalation and denial of service. While not network-exploitable, the low barrier to local triggering and severe consequences for storage infrastructure justify the high rating. Organizations with thin provisioning in production should treat this as critical infrastructure exposure.
Frequently asked questions
Does this affect my system if I'm not using thin provisioning?
No. This vulnerability is specific to dm-thin provisioning. If your storage uses thick provisioning or you have not explicitly enabled thin provisioning, you are not affected. Check your LVM or storage configuration to confirm.
Can this be exploited remotely?
No. The vulnerability requires local system access and the ability to trigger btree operations. It does not have a network attack vector. However, any local user with system access can potentially cause the condition through normal storage operations.
What happens if I don't patch?
Continued use of thin provisioning may trigger reference counting errors during normal metadata operations, leading to storage unavailability, error messages, and potential data access loss. The risk increases with system uptime and metadata churn.
Is this related to ransomware or active exploitation?
Currently, this vulnerability is not tracked on the KEV catalog and there is no evidence of active ransomware exploitation. However, local privilege escalation potential makes it a consolidation target in multi-stage attacks if the system is otherwise compromised.
This analysis is provided for informational purposes based on the disclosed vulnerability record. Reference count handling logic and affected kernel versions should be verified against your Linux distributor's official security advisories and your specific deployment. This publication does not constitute professional security advice. Organizations should conduct internal risk assessment and testing before applying patches. No exploit code or weaponized proof-of-concept is provided or endorsed. All patch and mitigation guidance should be validated against vendor documentation and your infrastructure's specific configuration and requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-37231HIGH
CVE-2026-37231: FlexRIC xapp_id Counter Overflow Denial of Service
- CVE-2026-35049MEDIUM
CVE-2026-35049: Wire iOS Denial-of-Service via Malformed Proteus Message
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGH
CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGH
CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance