PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46107 Linux CVE debrief

A reference count underflow vulnerability exists in the Linux kernel's device-mapper thin provisioning target (dm-thin). The flaw occurs in the `rebalance_children` function during B-tree rebalancing operations. When an internal B-tree node contains exactly one entry, the code attempts to migrate all entries from the child node to the parent node and then decrements the child's reference count. If the child node is shared (reference count > 1), it is not freed, resulting in two pointers to each grandchild node without corresponding reference count increments on those grandchildren. This mismatch between pointer count and reference count triggers metadata corruption errors (specifically, 'device mapper: space map common: unable to decrement block') and can lead to data integrity issues in thin-provisioned storage configurations. The vulnerability has been resolved by ensuring reference counts on grandchildren are properly incremented when the B-tree node is shared.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

System administrators managing Linux servers with LVM thin-provisioned storage; storage infrastructure engineers utilizing device-mapper thin provisioning; cloud providers offering block storage services built on Linux kernel device-mapper; DevOps teams responsible for kernel lifecycle management on storage-heavy workloads

Technical summary

The vulnerability exists in the `rebalance_children` function within the Linux kernel's dm-thin module. During B-tree rebalancing, when an internal node has a single entry, the code path migrates child entries to the parent and decrements the child's reference count. The defect manifests when the child node is shared (refcount > 1): the node persists due to outstanding references, but the grandchildren nodes gain additional pointers without corresponding reference count increments. This reference count underflow causes metadata corruption detectable via space map decrement failures. The fix ensures proper reference count incrementation on grandchildren when operating on shared B-tree nodes.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the dm-thin fix for CVE-2026-46107 when available from your Linux distribution
  • Monitor system logs for 'device mapper: space map common: unable to decrement block' errors as potential indicators of this condition
  • Review thin-provisioned storage deployments for stability if running unpatched kernel versions
  • Validate backup and recovery procedures for LVM thin pools given potential metadata integrity risks
  • Coordinate with storage infrastructure teams to schedule maintenance windows for kernel updates on systems utilizing device-mapper thin provisioning

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details derived from kernel commit messages describing the `rebalance_children` fix in dm-thin. Multiple stable kernel branch fixes are referenced, indicating backporting across supported versions.

Official resources

2026-05-28