HIGH Published 2026-05-28

dm-thin Metadata Underflow

CVE-2026-46107

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI4.3MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems using dm-thin provisioning are at risk of metadata operation failures and storage subsystem destabilization. The vulnerability causes reference count underflows in btree metadata operations, leading to 'unable to decrement block' errors that can render thin-provisioned devices inaccessible.

Affecteddrivers/md/persistent-data/dm-btree-remove.c (device-mapper)

Vulnerability analysis

The root cause is in the rebalance_children function where btree node consolidation creates duplicate pointers to grandchildren nodes without incrementing their reference counts when the child node is shared (refcount > 1). This causes a mismatch between actual pointer references and the metadata reference counts. The fix adds a check for shared nodes and properly increments grandchildren reference counts using inc_children() before the consolidation operation. This is a local vulnerability requiring root or CAP_SYS_ADMIN privileges in the initial user namespace to trigger through device-mapper thin-provisioning metadata operations.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.209	`f49b41c9eb7c`
6.1	6.1.175	`f06f6aededd7`
6.12	6.12.88	`323d252a4a37`
6.18	6.18.30	`85311a585a26`
6.6	6.6.140	`12161e03d33a`
7.0	7.0.7	`5ec0debbcfd4`
mainline	7.1-rc2	`09a65adc7d8b`