CVE-2026-46196 Linux CVE debrief

Who should care

Linux kernel maintainers, system administrators running custom kernel builds, performance engineers monitoring syscall overhead, and security teams tracking kernel resource leak conditions

Technical summary

The tracepoint_add_func() function in the Linux kernel performs a two-phase registration: first calling the subsystem's ext->regfunc() to prepare state, then func_add() to install the probe. When func_add() fails due to memory allocation failure (-ENOMEM), the error return path omitted ext->unregfunc(), leaving subsystem state inconsistent. For syscall tracepoints specifically, syscall_regfunc() increments a global refcount and sets a per-task flag; without the matching unregfunc(), these remain set indefinitely. The fix introduces conditional unregfunc() invocation in the func_add() failure path, using the same transition-detection logic as the normal unregistration path to ensure symmetry.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from stable branches containing the fix commits
• Monitor for abnormal syscall tracepoint refcount values in /sys/kernel/debug/tracing
• Review custom tracepoint probe loading code for error handling patterns
• Validate memory pressure handling in production kernel deployments

Evidence notes

The vulnerability description and fix details are derived from the official CVE record and NVD source data. The issue was resolved in the Linux kernel stable branches with commits addressing the missing unregfunc() call in the error path.

Official resources