Skip to main content

Linux Kernel CVE-2026-43106

| EUVDEUVD-2026-27622 HIGH
2026-05-06 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:26 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix incorrect dentry refcount in cachefiles_cull()

The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references.

However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost.

To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object().

AnalysisAI

A reference counting error in Linux kernel's cachefiles subsystem allows local authenticated users to trigger memory corruption and potentially escalate privileges. The vulnerability stems from cachefiles_cull() passing a dentry with insufficient reference count to cachefiles_bury_object(), causing a use-after-free condition. With CVSS 7.8 (high severity) but only 0.02% EPSS exploitation probability (5th percentile), this represents a kernel memory safety issue requiring local access with low attack complexity. Patches available in stable kernel versions 6.19.14 and 7.0.

Technical ContextAI

This vulnerability affects the Linux kernel's cachefiles filesystem caching layer, specifically the reference counting mechanism for directory entries (dentries). When commit 7bb1eb45e43c modified cachefiles_bury_object() to expect two references to the 'rep' dentry parameter, three callers were updated to use start_removing_dentry() which acquires the additional reference. However, the call path through cachefiles_cull() was overlooked and continues passing only one reference. This imbalance causes cachefiles_bury_object() to drop a reference that was never acquired, leading to an incorrect reference count. In kernel memory management, improper reference counting on dentries can result in premature freeing of still-in-use memory structures, creating use-after-free conditions. The cachefiles subsystem manages persistent caching for network filesystems, making this a core kernel component affecting systems using FS-Cache with local disk backing stores.

RemediationAI

Upgrade to patched Linux kernel versions: stable branch 6.19.14 or later, or mainline version 7.0 or later. Specific upstream fixes are in commits 6577df7dc7a7de128442b6192c7a32195c923480 (stable) and 1635c2acdde86c4f555b627aec873c8677c421ed (mainline), available at https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480 and https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed. If immediate patching is not feasible, disable the cachefiles module (rmmod cachefiles) as a temporary workaround, though this will break FS-Cache functionality for network filesystems like NFS and AFS that rely on local disk caching. Side effect: disabling cachefiles significantly degrades performance for cached network filesystems by forcing all operations to traverse the network. For production NFS/AFS deployments, patching is strongly preferred over disabling caching. Verify cachefiles usage with 'lsmod | grep cachefiles' before applying workarounds. Test kernel upgrades in non-production environments first as major version changes may introduce compatibility issues with out-of-tree drivers.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy