PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43065 Linux CVE debrief

A vulnerability in the Linux kernel's ext4 filesystem could allow a local attacker to cause a denial of service condition. The issue occurs when an ext4 filesystem is mounted with the `discard` option, files are deleted (populating the discard work queue), then remounted with `nodiscard`, and subsequently unmounted before queued discard work completes. In this scenario, `ext4_mb_release()` fails to drain pending discard work, potentially leading to use-after-free or memory corruption during unmount. The vulnerability was identified during automated code review and affects multiple stable kernel branches. Patches are available for supported kernel versions.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-05-29
Advisory published
2026-05-05
Advisory updated
2026-05-29

Who should care

Linux system administrators, kernel maintainers, and security teams managing systems with ext4 filesystems using the discard mount option. Cloud providers and virtualization platforms offering discard/TRIM-enabled storage should prioritize patching to prevent potential guest-triggered host instability.

Technical summary

The ext4 filesystem's multi-block allocator (`mballoc`) maintains a discard work queue (`s_discard_list`/`s_discard_work`) for asynchronous block discard operations when mounted with `-o discard`. When remounted with `-o nodiscard`, the `EXT4_MOUNT_DISCARD` flag is cleared, but pending discard work is neither cancelled nor flushed. If `ext4_mb_release()` is subsequently called during unmount before the workqueue drains naturally, the pending work may reference freed structures, leading to memory corruption or kernel crash. The fix modifies `ext4_mb_release()` to unconditionally drain queued discard work using `cancel_work_sync()` or equivalent mechanism, ensuring no stale work items remain during filesystem teardown.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your kernel version branch.
  • If immediate patching is not feasible, avoid remounting ext4 filesystems from `discard` to `nodiscard` when discard work may be pending, and ensure adequate time for queued discard operations to complete before unmount.
  • Monitor kernel logs for ext4-related errors during unmount operations that may indicate this condition.
  • Plan kernel updates to versions 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or later stable releases containing the fix.

Evidence notes

The vulnerability description indicates this was discovered via Sashiko automated review tool analysis of ext4 mballoc patches. The issue is a pre-existing bug where `EXT4_MOUNT_DISCARD` flag clearing during remount does not cancel or flush `s_discard_work`. The fix ensures `ext4_mb_release()` always drains queued discard work regardless of current mount options. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 5.5 (MEDIUM). NVD CPE criteria specify affected versions: 5.15 through 5.15.202, 5.16 through 6.1.168, 6.2 through 6.6.131, 6.7 through 6.12.80, 6.13 through 6.18.21, 6.19 through 6.19.11, and 7.0-rc1 through 7.0-rc5. Seven stable kernel patches are referenced.

Official resources

2026-05-05T16:16:15.683Z