CVE-2026-43066
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
During code review, Joseph found that ext4_fc_replay_inode() calls ext4_get_fc_inode_loc() to get the inode location, which holds a reference to iloc.bh that must be released via brelse().
However, several error paths jump to the 'out' label without releasing iloc.bh:
- ext4_handle_dirty_metadata() failure
- sync_dirty_buffer() failure
- ext4_mark_inode_used() failure
- ext4_iget() failure
Fix this by introducing an 'out_brelse' label placed just before the existing 'out' label to ensure iloc.bh is always released.
Additionally, make ext4_fc_replay_inode() propagate errors properly instead of always returning 0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer head leak in ext4_fc_replay_inode() error paths could lead to memory exhaustion or system instability; patched in Linux stable kernels.
Vulnerability
Description The vulnerability is a resource leak in the Linux kernel's ext4 file system. In the function ext4_fc_replay_inode(), used during fast commit replay, a replay, the function ext4_get_fc_inode_loc() is called to obtain the inode location and holds a reference to iloc.bh (a buffer head). This reference must be explicitly released via brelse(). However, multiple error paths within the function jump to the 'out' label without first releasing iloc.bh, resulting in a buffer head leak [1].
Exploitability
An attacker with the ability to trigger a fast commit replay and induce failures in one of the following operations could exploit the leak: ext4_handle_dirty_metadata() failure, sync_dirty_buffer() failure, ext4_mark_inode_used() failure, or ext4_iget() failure [2]. The vulnerability is triggered during normal filesystem recovery or mount operations, so a local user or attacker with capabilities to cause the filesystem to go through a fast commit replay (e.g., by issuing a crash and reboot) could repeatedly trigger the leak.
Impact
A repeated failure to release iloc.bh would cause a gradual depletion of kernel memory buffers. Over time, this could lead to memory exhaustion on the system, potentially causing denial of service or system instability. Additionally, the function was returning 0 (success) even on error paths, so no error was propagated to the caller, which could mask ongoing problems [3].
Mitigation
The patch introduces a new label 'out_brelse' before the existing 'out' label to ensure brelse() is always called before exiting. Additionally, the function now properly propagates error codes instead of always returning zero [4]. The fix has been applied to the Linux stable tree and is included in several stable kernel releases
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3nvd
- git.kernel.org/stable/c/19782b4c793b49a6aa4abbb307ddff3610009d21nvd
- git.kernel.org/stable/c/5a63033696e60b5d70816f1d119645ac5b0b0a03nvd
- git.kernel.org/stable/c/9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25nvd
- git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4nvd
- git.kernel.org/stable/c/ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50bnvd
- git.kernel.org/stable/c/ec0a7500d8eace5b4f305fa0c594dd148f0e8d29nvd
- git.kernel.org/stable/c/f7817ad399d604e8639005d87d148b5ec626ad26nvd
News mentions
0No linked articles in our index yet.