PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46046 Linux CVE debrief

A buffer reference leak vulnerability exists in the Linux kernel's ext4 filesystem implementation. The flaw occurs in `ext4_xattr_inode_dec_ref_all()` where `ext4_get_inode_loc()` acquires `iloc.bh` (a buffer head), but this buffer is never released via `brelse()` when `block_csum` is false. This was introduced by commit c8e008b60492 (ext4: ignore xattrs past end). The missing buffer release leads to a reference count leak, which can contribute to resource exhaustion over time. Multiple stable kernel branches have received fixes.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators, kernel maintainers, and organizations running ext4 filesystems on production systems

Technical summary

The ext4_xattr_inode_dec_ref_all() function in the Linux kernel fails to release a buffer head obtained via ext4_get_inode_loc() when block_csum is false. This results in a buffer reference count leak that can lead to resource exhaustion. The vulnerability was introduced by commit c8e008b60492 and affects systems using ext4 extended attributes.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates from your Linux distribution that include the referenced stable kernel commits
  • Monitor for ext4 filesystem resource exhaustion indicators on affected systems
  • Verify kernel version includes fix commits: 097227f1ffe1a85bc3c359f81c71e3d40e06e920, 1bc1107a3a403a6d440673ed6666f7b07ef868a8, 1e6b0a69bf2c9c819255c7566e4355536d81d9cf, 77d059519382bd66283e6a4e83ee186e87e7708f, or f0729

Evidence notes

Vulnerability description confirms missing brelse() call in ext4_xattr_inode_dec_ref_all(). Source references indicate fixes applied to multiple stable kernel branches. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-27