CVE-2026-46107
dm-thin Metadata Refcount Underflow in Linux Kernel
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux_kernel | dm-thin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as errors related to device mapper metadata reference counts, specifically "device mapper: space map common: unable to decrement block" errors.
To detect this issue on your system, you can monitor system logs for these specific error messages.
- Use the command: sudo dmesg | grep 'device mapper: space map common: unable to decrement block'
- Check system logs with: sudo journalctl -k | grep 'device mapper: space map common: unable to decrement block'
These commands help identify if the dm-thin metadata refcount underflow bug is occurring by detecting the related error messages.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by updating the Linux kernel to a version where the dm-thin metadata refcount underflow bug is resolved.
Immediate mitigation steps include:
- Update your Linux kernel to the latest patched version that includes the fix for dm-thin.
- Monitor system logs for the related error messages to detect if the issue persists.
- Avoid using affected dm-thin features or configurations until the patch is applied.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's dm-thin module, specifically in the function rebalance_children. The bug occurs when an internal btree node with one entry tries to copy all btree entries from its child node to itself and then decrements the child's reference count.
If the child node is shared (meaning it has a reference count greater than 1), the code does not free it, resulting in two pointers to each of the grandchildren nodes. However, the reference counts of the grandchildren are not incremented accordingly, causing a mismatch between the number of pointers and the reference counts.
This mismatch leads to errors such as "device mapper: space map common: unable to decrement block." The fix involves incrementing the reference counts on the grandchildren nodes if the btree node is shared.
How can this vulnerability impact me? :
This vulnerability can cause errors in the device mapper's space map, specifically "unable to decrement block" errors, which may lead to incorrect reference counting in the dm-thin module.
Such errors could potentially result in data integrity issues or unexpected behavior in storage management, as the reference counts do not accurately reflect the actual usage of the underlying data structures.