Skip to main content

Linux Kernel EUVDEUVD-2026-32866

| CVE-2026-46107 HIGH
Integer Underflow (CWE-191)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-c6hr-v224-3w2w
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:48 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dm-thin: fix metadata refcount underflow

There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.

If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors.

Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.

AnalysisAI

Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.

Technical ContextAI

The bug lives in drivers/md/dm-thin and the underlying persistent-data btree library used by device-mapper thin provisioning, which manages snapshots and shared blocks via copy-on-write btrees protected by reference counts. In rebalance_children(), when an internal btree node has only one entry, its child's entries are copied up and the child is dereferenced; however, when the child is shared (refcount > 1) it is not freed, leaving two parents pointing to the grandchildren without the grandchildren's refcounts being incremented. This mismatch between pointer count and stored refcount in the dm space-map is a classic incorrect reference-count update (conceptually CWE-911 / CWE-672), surfacing as the kernel log message 'device mapper: space map common: unable to decrement block' and ultimately metadata corruption on thin pools with snapshots.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc2 or later on the matching series, or apply the corresponding stable commits (85311a58, 323d252a, 12161e03, 09a65adc, 5ec0debb) available at https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044 and the other URLs listed under references. If patching must be deferred, restrict who can issue device-mapper ioctls by ensuring CAP_SYS_ADMIN is held only by trusted users, avoid exposing dm-thin pools to unprivileged or container workloads, and avoid heavy snapshot/share operations that exercise rebalance_children on shared btree nodes; these workarounds reduce reachability but disable functionality required by storage-heavy workloads (LVM thin pools, container storage drivers like devicemapper) and should be temporary until the patched kernel is deployed.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy