CVE-2026-46107 Overview
CVE-2026-46107 is a reference count underflow vulnerability in the Linux kernel's dm-thin (device-mapper thin provisioning) subsystem. The flaw resides in the rebalance_children function within the btree management code. When an internal btree node contains only one entry, the function copies entries from a child node and decrements the child's reference count without properly handling shared child nodes. This produces a mismatch between actual pointer counts and tracked references on grandchild blocks, leading to device mapper: space map common: unable to decrement block errors and potential thin-provisioned volume corruption.
Critical Impact
Metadata reference count corruption in dm-thin can produce I/O errors, block accounting failures, and possible data loss on thin-provisioned storage volumes.
Affected Products
- Linux kernel (mainline) — dm-thin device-mapper target
- Linux stable kernel branches prior to the commits referenced in the fix
- Distributions shipping affected stable kernels with thin provisioning enabled
Discovery Timeline
- 2026-05-28 - CVE-2026-46107 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46107
Vulnerability Analysis
The dm-thin target uses a copy-on-write btree to manage block mappings for thin-provisioned volumes. The rebalance_children routine handles internal nodes that fall below their minimum entry threshold. When a node has only one entry, the implementation collapses the tree by copying the single child's contents into the parent and releasing the child block.
The defect appears when the child node is shared, meaning its reference count exceeds one due to snapshot or copy-on-write semantics. In that case the child block is not freed, and two distinct btree paths now reference the same set of grandchild blocks. However, the grandchild reference counts are not incremented to reflect the new aliasing. The space map's accounting diverges from the actual pointer topology.
When later operations attempt to release the grandchildren through one of the aliased paths, the space map detects a decrement against a block whose tracked count is already at its expected minimum, producing the unable to decrement block error and aborting the metadata operation.
Root Cause
The root cause is missing reference count maintenance during a btree rebalance when the involved child node is shared. The fix increments reference counts on each grandchild whenever the collapsed child is shared, preserving the invariant that the space map count for any block equals the number of btree pointers that reference it.
Attack Vector
Exploitation requires the ability to trigger rebalance_children against shared btree nodes. This typically occurs in workloads using thin-pool snapshots, where copy-on-write produces shared metadata, combined with deletion or shrinkage patterns that drive internal nodes below the rebalance threshold. The condition is reachable through normal storage administration operations rather than a remote attack surface, and the primary impact is metadata integrity and availability of the thin pool.
Detection Methods for CVE-2026-46107
Indicators of Compromise
- Kernel log entries containing device mapper: space map common: unable to decrement block.
- dm-thin pool transitioning to read-only or Fail mode after metadata operations.
- thin_check reporting reference count mismatches or inconsistent btree structures on the metadata device.
Detection Strategies
- Monitor dmesg and journalctl -k output for device-mapper space map errors on hosts using thin provisioning.
- Run periodic thin_check against offline metadata snapshots to validate btree and reference count consistency.
- Track kernel versions across the fleet and flag hosts running pre-patch stable branches that use dm-thin.
Monitoring Recommendations
- Alert on any occurrence of space map common or dm-thin error strings in kernel logs.
- Watch for thin pool state transitions reported by dmsetup status indicating out_of_data_space or Fail.
- Correlate snapshot creation, deletion, and discard workloads with subsequent metadata error events.
How to Mitigate CVE-2026-46107
Immediate Actions Required
- Inventory hosts using dm-thin thin provisioning, including LVM thin pools and container storage drivers built on dm-thin.
- Upgrade affected systems to a kernel version that includes one of the upstream fix commits referenced below.
- Back up thin pool metadata using thin_dump before applying kernel updates on production storage hosts.
Patch Information
The fix increments grandchild reference counts when the collapsed btree node is shared. Patch commits are available from the upstream Linux kernel tree: Linux Kernel Commit 09a65adc, Linux Kernel Commit 12161e03, Linux Kernel Commit 323d252a, Linux Kernel Commit 5ec0debb, and Linux Kernel Commit 85311a58. Apply the vendor-supplied kernel package that includes these commits for the stable branch in use.
Workarounds
- Avoid workloads that combine snapshot-heavy use with aggressive deletion on thin pools until patched kernels are deployed.
- Where feasible, migrate critical volumes off dm-thin to alternative storage backends until the patch is applied.
- Maintain current thin_dump backups of thin pool metadata so the pool can be reconstructed if reference count corruption occurs.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
