PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43066 Linux CVE debrief

CVE-2026-43066 is a medium-severity (CVSS 3.1: 5.5) memory leak vulnerability in the Linux kernel's ext4 filesystem fast-commit replay logic. The flaw exists in ext4_fc_replay_inode(), where ext4_get_fc_inode_loc() acquires a reference to iloc.bh (a buffer head) that must be released via brelse(). Multiple error paths—including failures in ext4_handle_dirty_metadata(), sync_dirty_buffer(), ext4_mark_inode_used(), and ext4_iget()—incorrectly jump to the 'out' label without releasing this buffer head reference, causing a resource leak. The fix introduces an 'out_brelse' label to ensure iloc.bh is always released before exiting, and also corrects error propagation so the function returns actual error codes instead of always returning 0. This vulnerability affects Linux kernel versions from 5.10 through multiple stable branches up to 7.0-rc5, with patches available for all supported stable releases. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low complexity, requiring low privileges, resulting in high availability impact through potential denial of service from resource exhaustion. The weakness is classified as CWE-401 (Missing Release of Memory after Effective Lifetime).

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-05-29
Advisory published
2026-05-05
Advisory updated
2026-05-29

Who should care

Linux system administrators running ext4 filesystems with fast-commit enabled; kernel maintainers and distributions packaging stable kernel updates; security teams tracking local denial-of-service conditions in filesystem subsystems.

Technical summary

The ext4_fc_replay_inode() function in fs/ext4/fast_commit.c acquires a buffer head via ext4_get_fc_inode_loc() stored in iloc.bh. This buffer head must be released with brelse() to prevent resource leaks. The original code had an 'out' label that skipped brelse(), reachable from four error conditions: ext4_handle_dirty_metadata() failure, sync_dirty_buffer() failure, ext4_mark_inode_used() failure, and ext4_iget() failure. The fix adds an 'out_brelse' label immediately before 'out' so all error paths release iloc.bh, and modifies return values to propagate actual error codes rather than unconditionally returning 0. This is a classic cleanup-path bug with no direct security boundary crossing, but repeated triggering could exhaust buffer head allocations and cause denial of service.

Defensive priority

patch

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your release branch (5.10.253+, 5.15.203+, 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, or 7.0-rc6+).
  • If running a vulnerable kernel with ext4 fast-commit enabled, monitor for buffer head exhaustion symptoms (increased memory usage, filesystem slowdowns, or allocation failures in ext4 operations).
  • Consider disabling ext4 fast-commit (tune2fs -O ^fast_commit) as a temporary mitigation if patching is not immediately feasible, though this will disable fast-commit recovery benefits.
  • Validate successful patch application by verifying kernel version matches or exceeds the fixed release for your branch.

Evidence notes

Vulnerability description and patch details sourced from NVD record and kernel.org stable patch commits. Affected version ranges derived from NVD CPE criteria. CVSS 3.1 vector and score from NVD. CWE-401 classification from NVD weakness data. Timeline uses CVE published date (2026-05-05) per supplied metadata.

Official resources

2026-05-05