In the Linux kernel, the following vulnerability has been resolved:
tracepoint: balance regfunc() on funcadd() failure in tracepointadd_func()
When a tracepoint goes through the 0 -> 1 transition, tracepointaddfunc() invokes the subsystem's ext->regfunc() before attempting to install the new probe via funcadd(). If funcadd() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.
For syscall tracepoints this is particularly unpleasant: syscallregfunc() bumps systracepointrefcount and sets SYSCALLTRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.
Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46196.json"
}