CVE-2026-43419 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running systems that use the Ceph client in kernel space should review this fix. Environments with heavy metadata/path handling activity are the most likely to notice resource impact from repeated leaks.

Technical summary

The vulnerability description states that ceph_mdsc_build_path() allocates a path buffer with __getname(), but some error code paths returned without freeing it. The fix ensures __putname() is called whenever the pointer is not handed off via path_info.path. Based on the supplied record, the issue is a memory leak in error handling for the Ceph filesystem path-building logic in the Linux kernel.

Defensive priority

Low to medium. The issue is an availability/resource-management problem with a published fix, but the supplied record does not indicate code execution, privilege escalation, or active exploitation.

Recommended defensive actions

• Apply the Linux kernel patch that adds the missing __putname() cleanup in ceph_mdsc_build_path().
• Prioritize rollout on systems that enable and actively use the Ceph client.
• Monitor affected hosts for unusual memory growth or instability if patching is delayed.
• Track kernel and distro advisories for backported fixes that correspond to the referenced upstream commits.
• If you maintain downstream kernels, verify the fix is present in all supported branches that include the Ceph client code.

Evidence notes

The supplied CVE description explicitly says the fix resolves memory leaks in ceph_mdsc_build_path() by adding __putname() calls on error paths that did not free the path pointer obtained by __getname(). The NVD record provided in the corpus lists the vulnerability status as 'Undergoing Analysis' and includes five kernel.org stable commit references. No CVSS score, KEV entry, or weaponized exploitation information was provided in the source corpus.

Official resources