CVE-2026-43106
Analyzed Analyzed - Analysis Complete
Reference Leak in Linux Kernel cachefiles

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-05-27
AI Q&A
2026-05-06
EPSS Evaluated
2026-05-25
NVD
CVE-2026-43106
EUVD
EUVD-2026-27622
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is related to the Linux kernel's cachefiles subsystem. It involves an incorrect reference count handling of a directory entry (dentry) in the function cachefiles_cull(). A patch changed the function cachefiles_bury_object() to expect two references to the 'rep' dentry, and most callers were updated accordingly to provide the correct number of references. However, one call within cachefiles_cull() was not updated properly and still passed the dentry with only one reference, causing a reference to be lost. The fix requires cachefiles_cull() to take an extra reference before calling cachefiles_bury_object(), which will then drop it as expected.


How can this vulnerability impact me? :

This vulnerability involves an incorrect dentry reference count in the Linux kernel's cachefiles subsystem. Specifically, a reference is lost due to improper handling of dentry references in the cachefiles_cull() function. This could potentially lead to resource management issues within the kernel, such as use-after-free or memory corruption, which might affect system stability or security.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is related to an incorrect dentry reference count in the Linux kernel's cachefiles subsystem. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the patch fixing the cachefiles_cull() function to properly handle dentry references.

Specifically, ensure that your kernel version includes the fix where cachefiles_cull() takes an extra reference before calling cachefiles_bury_object(), as described in the patch.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart