{"api_version":"1","generated_at":"2026-05-29T19:13:21+00:00","cve":"CVE-2026-46107","urls":{"html":"https://cve.report/CVE-2026-46107","api":"https://cve.report/api/cve/CVE-2026-46107.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46107","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46107"},"summary":{"title":"dm-thin: fix metadata refcount underflow","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere's a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node's child to the node itself and then decrement the\nchild's reference count.\n\nIf the child node is shared (it has reference count > 1), we won't free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn't match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-28 10:16:26","updated_at":"2026-05-28 13:44:01"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c","name":"https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044","name":"https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad","name":"https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460","name":"https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5","name":"https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46107","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46107","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4 12161e03d33afce781f68fa11cc6060538862fad git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4 323d252a4a378834e4fe68298ca61cfc5dd3a460 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4 85311a585a26640760cd0f3349ab9f2905691044 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4 5ec0debbcfd43596e32c1239e993de06a704e04c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4 09a65adc7d8bbfce06392cb6d375468e2728ead5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.88 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.30 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc2 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46107","cve":"CVE-2026-46107","epss":"0.000180000","percentile":"0.051520000","score_date":"2026-05-28","updated_at":"2026-05-29 00:13:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/md/persistent-data/dm-btree-remove.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"12161e03d33afce781f68fa11cc6060538862fad","status":"affected","version":"3241b1d3e0aaafbfcd320f4d71ade629728cc4f4","versionType":"git"},{"lessThan":"323d252a4a378834e4fe68298ca61cfc5dd3a460","status":"affected","version":"3241b1d3e0aaafbfcd320f4d71ade629728cc4f4","versionType":"git"},{"lessThan":"85311a585a26640760cd0f3349ab9f2905691044","status":"affected","version":"3241b1d3e0aaafbfcd320f4d71ade629728cc4f4","versionType":"git"},{"lessThan":"5ec0debbcfd43596e32c1239e993de06a704e04c","status":"affected","version":"3241b1d3e0aaafbfcd320f4d71ade629728cc4f4","versionType":"git"},{"lessThan":"09a65adc7d8bbfce06392cb6d375468e2728ead5","status":"affected","version":"3241b1d3e0aaafbfcd320f4d71ade629728cc4f4","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/md/persistent-data/dm-btree-remove.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.2"},{"lessThan":"3.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.88","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.30","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc2","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.88","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.30","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc2","versionStartIncluding":"3.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere's a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node's child to the node itself and then decrement the\nchild's reference count.\n\nIf the child node is shared (it has reference count > 1), we won't free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn't match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared."}],"providerMetadata":{"dateUpdated":"2026-05-28T09:35:13.051Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad"},{"url":"https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460"},{"url":"https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044"},{"url":"https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c"},{"url":"https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5"}],"title":"dm-thin: fix metadata refcount underflow","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46107","datePublished":"2026-05-28T09:35:13.051Z","dateReserved":"2026-05-13T15:03:33.098Z","dateUpdated":"2026-05-28T09:35:13.051Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 10:16:26","lastModifiedDate":"2026-05-28 13:44:01","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46107","Ordinal":"1","Title":"dm-thin: fix metadata refcount underflow","CVE":"CVE-2026-46107","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46107","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere's a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node's child to the node itself and then decrement the\nchild's reference count.\n\nIf the child node is shared (it has reference count > 1), we won't free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn't match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared.","Type":"Description","Title":"dm-thin: fix metadata refcount underflow"}]}}}