Skip to main content

Linux Kernel ext4 CVE-2026-43066

| EUVDEUVD-2026-27365 MEDIUM
Memory Leak (CWE-401)
2026-05-05 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 20:16 vuln.today
CVSS changed
May 29, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 05, 2026 - 17:31 EUVD
CVE Published
May 05, 2026 - 15:23 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths

During code review, Joseph found that ext4_fc_replay_inode() calls ext4_get_fc_inode_loc() to get the inode location, which holds a reference to iloc.bh that must be released via brelse().

However, several error paths jump to the 'out' label without releasing iloc.bh:

  • ext4_handle_dirty_metadata() failure
  • sync_dirty_buffer() failure
  • ext4_mark_inode_used() failure
  • ext4_iget() failure

Fix this by introducing an 'out_brelse' label placed just before the existing 'out' label to ensure iloc.bh is always released.

Additionally, make ext4_fc_replay_inode() propagate errors properly instead of always returning 0.

AnalysisAI

Buffer-head reference leak in Linux kernel ext4 fast-commit replay (ext4_fc_replay_inode()) allows local authenticated users to exhaust kernel memory, resulting in denial of service. Four distinct error paths in the function skip the mandatory brelse() call on iloc.bh, and the function previously masked all errors by always returning 0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects very low real-world exploitation probability and no CISA KEV listing corroborates the absence of observed active exploitation.

Technical ContextAI

The ext4 fast-commit (FC) feature accelerates journaling by writing compact inode-level journal entries, which are replayed during recovery via ext4_fc_replay_inode(). This function calls ext4_get_fc_inode_loc() to retrieve the on-disk inode location, which internally acquires a reference-counted buffer_head (iloc.bh) that must be released via brelse() when no longer needed. CWE-401 (Missing Release of Memory after Effective Lifetime) manifests at four specific error branch points - failures in ext4_handle_dirty_metadata(), sync_dirty_buffer(), ext4_mark_inode_used(), and ext4_iget() - all of which jump directly to the 'out' label, bypassing the release call. The fix introduces an 'out_brelse' label above 'out' to guarantee cleanup, and corrects the function's error-swallowing behavior. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to a patched stable kernel release: 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0. Fix commits are available at https://git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3 (5.10 branch), https://git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4 (5.15 branch), and additional branch-specific commits listed in the CVE references. As a compensating control where immediate patching is not feasible, mounting ext4 filesystems with the 'nofast_commit' mount option disables the fast-commit feature entirely, preventing the vulnerable replay code path from executing; the trade-off is reduced journaling throughput. Systems using non-ext4 filesystems or with ext4 mounted without journaling (data=writeback without fast_commit) are not affected by this specific code path.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy