CVE-2026-46196

Source
https://cve.org/CVERecord?id=CVE-2026-46196
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46196.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46196
Downstream
Related
Published
2026-05-28T09:36:49.293Z
Modified
2026-07-15T01:49:17.134532970Z
Summary
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
Details

In the Linux kernel, the following vulnerability has been resolved:

tracepoint: balance regfunc() on funcadd() failure in tracepointadd_func()

When a tracepoint goes through the 0 -> 1 transition, tracepointaddfunc() invokes the subsystem's ext->regfunc() before attempting to install the new probe via funcadd(). If funcadd() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.

For syscall tracepoints this is particularly unpleasant: syscallregfunc() bumps systracepointrefcount and sets SYSCALLTRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.

Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46196.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8cf868affdc459beee1a941df0cfaba1673740e3
Fixed
5787052e5f69beb649f3d6a80a8aa37d9e683e4e
Fixed
4f1756d043e56ea2e9a6c858fb290a0cf6fc2251
Fixed
36ff362235307af95152d510b53c2d9b8773a342
Fixed
247ed8a969f981bfba3112fd4bb441eaa6cef59c
Fixed
7bcadb3c2bc1cf60690e931aadd35fb7bd646a49
Fixed
2c5b8eeea006eb694c81631cd5713d494b80be90
Fixed
342829e042ac00f3d68d442ea92873fb6683f494
Fixed
fad217e16fded7f3c09f8637b0f6a224d58b5f2e

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46196.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.88
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46196.json"