CVE-2026-46107

Description

In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-28 | Updated 2026-06-01 | Assigner Linux

Product status

References

git.kernel.org/...c/f49b41c9eb7c6ff00df27cd49cea210abbadd8ad

git.kernel.org/...c/f06f6aededd792a754cd677c02b3d3016d868c2c

git.kernel.org/...c/12161e03d33afce781f68fa11cc6060538862fad

git.kernel.org/...c/323d252a4a378834e4fe68298ca61cfc5dd3a460

git.kernel.org/...c/85311a585a26640760cd0f3349ab9f2905691044

git.kernel.org/...c/5ec0debbcfd43596e32c1239e993de06a704e04c

git.kernel.org/...c/09a65adc7d8bbfce06392cb6d375468e2728ead5

cve.org (CVE-2026-46107)

nvd.nist.gov (CVE-2026-46107)

Download JSON