HarborGuard / CVE
Back to search
HIGHCVE-2026-46107Published Modified CNA Linux

CVE-2026-46107: dm-thin: fix metadata refcount underflow

In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A metadata refcount underflow bug affects dm-thin, the Linux kernel's thin-provisioning device mapper target. The flaw is reachable locally by a low-privileged user and stems from incorrect reference-count handling in the rebalance_children function when a shared internal btree node is processed. Successful exploitation corrupts storage metadata, giving an attacker the ability to read, modify, or destroy data managed by affected dm-thin volumes. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against all customer images, including custom-built images that bundle affected kernel packages. Scanning covers both base images and layers that introduce or update kernel components.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and weights it against each environment's compliance policy to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

A patched-image rebuild targeting the fix commits is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable code path.

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the flaw without involving another user.

  • Attack complexityDetail

    Exploit conditions are straightforward and do not rely on race conditions or specific memory layout, making the attack reliable and repeatable.

Blast Radius

  • An attacker reads data stored on dm-thin volumes, including file contents and metadata that may contain sensitive application or user data.
  • An attacker modifies persisted data on affected thin-provisioned volumes by corrupting btree metadata, altering stored blocks.
  • Reference-count underflow causes "unable to decrement block" errors that destabilize the storage layer and crash or disable affected dm-thin volumes.
  • Storage metadata corruption can spread across shared snapshots and thin devices backed by the same pool, widening the scope of damage beyond a single volume.

How HarborGuard Handles This

Available on HarborGuard: images containing affected Linux kernel versions are flagged immediately upon CVE ingestion, with CVSS 7.8 HIGH severity surfaced in the scan report. Where compliance policy permits, a rebuilt image incorporating the upstream fix commits is prepared automatically; for customers who opt into auto-remediation, HarborGuard opens a pull request against affected workloads with a regression-test run attached, targeting a median resolution time of around 90 minutes for high-severity issues. Teams that cannot immediately apply the kernel patch can use HarborGuard's policy controls to flag any image deploying dm-thin volumes for manual review, apply network-policy isolation to restrict lateral access to hosts running affected kernels, and gate workloads on a feature flag until the patched image is verified and promoted.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

009a65adc7d8bbfce06392cb6d375468e2728ead512161e03d33afce781f68fa11cc6060538862fad323d252a4a378834e4fe68298ca61cfc5dd3a4605ec0debbcfd43596e32c1239e993de06a704e04c6.6.1406.12.886.18.307.0.77.1-rc285311a585a26640760cd0f3349ab9f2905691044
Affected packages
  • Linux / Linux
    < 12161e03d33afce781f68fa11cc6060538862fad (from 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4) · < 323d252a4a378834e4fe68298ca61cfc5dd3a460 (from 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4) · < 85311a585a26640760cd0f3349ab9f2905691044 (from 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4) · < 5ec0debbcfd43596e32c1239e993de06a704e04c (from 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4) · < 09a65adc7d8bbfce06392cb6d375468e2728ead5 (from 3241b1d3e0aaafbfcd320f4d71ade629728cc4f4)
  • Linux / Linux
    3.2
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References