CVE-2026-46196: Linux Kernel Tracepoint State Leak and Performance Degradation
A flaw in the Linux kernel's tracepoint subsystem can leave internal state in an inconsistent condition when probe registration fails. Specifically, when the kernel tries to activate a tracepoint for the first time and the activation succeeds but the probe installation fails (e.g., due to out-of-memory conditions), the cleanup routine is never called. This leaves persistent overhead on every task in the system—most notably for syscall tracing—until the system is rebooted. The issue is a resource leak of kernel state rather than a direct security bypass, but it degrades performance and system stability under memory pressure or specific tracepoint registration sequences.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-19
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them. For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state. Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the tracepoint_add_func() function in the Linux kernel's tracepoint infrastructure. When a tracepoint transitions from having zero to one active consumer, the kernel invokes ext->regfunc() to perform subsystem-specific setup (such as incrementing reference counts or setting per-task flags). If the subsequent func_add() call fails—typically due to memory allocation failure in allocate_probes()—the function returns without invoking the corresponding ext->unregfunc() cleanup. For syscall tracepoints, this means syscall_regfunc() has already incremented sys_tracepoint_refcount and set the SYSCALL_TRACEPOINT flag on all tasks, but these changes are never reversed. The result is orphaned kernel state that imposes ongoing CPU overhead and cannot be cleared without rebooting. The fix mirrors the existing 1→0 transition cleanup logic by calling ext->unregfunc() in the error path when func_add() fails after regfunc() has been invoked.
Business impact
While not exploitable for privilege escalation or data theft, this vulnerability can severely degrade system performance under adverse conditions. On production systems making heavy use of tracepoints or experiencing memory pressure, a failed probe installation leaves the kernel in a state where every syscall and tracepoint operation incurs unnecessary overhead. This can manifest as increased latency, reduced throughput, and higher CPU utilization across all workloads. Systems relying on dynamic tracepoint instrumentation—such as those running eBPF-based monitoring, observability agents, or kernel debugging tools—are at elevated risk of triggering the failure condition and suffering persistent performance degradation without operator awareness. The only remedy is a reboot.
Affected systems
All Linux kernel versions that include the tracepoint subsystem are potentially affected. The vulnerability specifically impacts the syscall tracepoint implementation and any other subsystem that defines regfunc()/unregfunc() pairs for registration state management. Systems under sustained memory pressure or those frequently enabling and disabling tracepoints are most likely to encounter the failure path. Check the Linux kernel advisory and your vendor's patch announcements for the specific kernel versions and stable release branches addressed.
Exploitability
This is not an exploitability issue in the traditional sense—there is no code execution, privilege escalation, or information disclosure vector. However, it is easily triggerable by any local user or administrator with permissions to manage tracepoints or run workloads that cause memory allocation failures. The condition can occur naturally during system memory pressure, making it a denial-of-service risk rather than a security boundary violation. Once triggered, the degradation persists without further action from an attacker, making detection of malicious intent difficult.
Remediation
Apply the Linux kernel patch that adds the missing ext->unregfunc() call in the error handling path of tracepoint_add_func(). This ensures that when func_add() fails after regfunc() has been invoked, the corresponding cleanup is performed symmetrically. Affected deployments should prioritize patching systems that make active use of dynamic tracepoint instrumentation, eBPF monitoring, or observability agents. After patching and rebooting, verify that tracepoint registration succeeds and that no orphaned state persists by monitoring sys_tracepoint_refcount and syscall overhead metrics.
Patch guidance
Obtain the Linux kernel update from your distribution's kernel repository or from kernel.org's stable release trees. The patch applies to the tracepoint subsystem and is typically included in stable kernel releases that address this issue. Verify the patch commit hash against the upstream Linux kernel repository to confirm authenticity. After applying the patch and rebuilding the kernel, reboot to load the new kernel image. If your system is currently in a degraded state due to this issue, rebooting to the patched kernel will clear the orphaned state.
Detection guidance
Monitor sys_tracepoint_refcount via sysctl or kernel module inspection to detect abnormally elevated values when no tracepoint consumers are actively registered. Use tools like bpftrace or perf to profile syscall entry/exit overhead and establish baseline metrics; persistent overhead above baselines may indicate orphaned tracepoint state. Review kernel logs and memory allocation failure warnings (OOM, ENOMEM) that occur during tracepoint registration attempts. In environments with strict observability, correlate sudden increases in CPU usage or syscall latency with recent attempts to enable or modify tracepoints via perf, eBPF tools, or systemtap. Implement alerts for sustained elevation in these metrics that cannot be correlated with active tracepoint consumers.
Why prioritize this
Although the CVSS score is MEDIUM (5.5) and the vulnerability does not enable direct exploitation, its impact on system performance and the difficulty in remediating without a reboot make it a priority for systems that depend on stable, predictable performance. The vulnerability is particularly critical for production environments running observability platforms, eBPF agents, or kernel tracing tools that regularly register and unregister tracepoints. The fact that an orphaned state persists until reboot elevates its operational risk, even if it does not pose an immediate security boundary violation. Prioritize patching on systems likely to encounter memory pressure or dynamic tracepoint churn.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM, AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects a local attack vector, low attack complexity, and requirement for low privileges, with high availability impact but no confidentiality or integrity impact. The score appropriately captures that this is a denial-of-service / availability degradation issue triggered by memory allocation failures or tracepoint registration sequences. However, the practical impact on production systems—especially those running continuous observability infrastructure—may warrant elevated prioritization despite the MEDIUM baseline score. Organizations should adjust their internal risk ratings based on their deployment of tracepoint-dependent tools and their tolerance for performance degradation.
Frequently asked questions
Can this vulnerability be exploited for privilege escalation or code execution?
No. This vulnerability does not enable privilege escalation, code execution, or information disclosure. It is a resource leak in kernel state management that results in persistent performance overhead. An attacker cannot gain unauthorized access or execute arbitrary code; however, they could trigger the condition to degrade system performance if they have permissions to enable/disable tracepoints or can induce memory allocation failures.
How will I know if my system has been affected by this issue?
If your system has encountered a failed tracepoint registration attempt (visible in kernel logs as memory allocation failures or ENOMEM errors during tracepoint operations), and you subsequently observe elevated CPU overhead in syscall handling or tracepoint operations without an obvious cause, your system may be in a degraded state. Use monitoring tools to check sys_tracepoint_refcount and syscall latency metrics. The only way to clear this state is to reboot into a patched kernel.
Does this affect all Linux distributions equally?
The vulnerability exists in the Linux kernel's core tracepoint subsystem, so all distributions using affected kernel versions are impacted. However, the likelihood of encountering the failure condition depends on workload characteristics (memory pressure, frequency of tracepoint registration) and the availability of observability tools that make heavy use of dynamic tracepoints. Distributions with proactive kernel update cadences and those that ship observability platforms should prioritize patching.
Is a reboot required to apply the patch?
Yes. Like all Linux kernel patches, this requires rebuilding the kernel and rebooting the system to load the new kernel image. If your system is currently in a degraded state due to this issue, the reboot will also clear the orphaned tracepoint state.
This analysis is provided for informational purposes and based on the vulnerability description and CVSS scoring as of the publication date. Patch availability, affected kernel versions, and remediation timelines are subject to change and should be verified against official Linux kernel advisories and your distribution's security announcements. No liability is assumed for accuracy of patch version numbers or deployment guidance; consult vendor documentation before applying patches to production systems. This vulnerability does not appear on the CISA KEV catalog and is not known to be actively exploited as of the analysis date. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure