CVE-2026-43106 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix incorrect dentry refcount in cachefiles_cull()

The patch mentioned below changed cachefiles_bury_object() to expect 2
references to the 'rep' dentry. Three of the callers were changed to
use start_removing_dentry() which takes an extra reference so in those
cases the call gets the expected references.

However there is another call to cachefiles_bury_object() in
cachefiles_cull() which did not need to be changed to use
start_removing_dentry() and so was not properly considered.
It still passed the dentry with just one reference so the net result is
that a reference is lost.

To meet the expectations of cachefiles_bury_object(), cachefiles_cull()
must take an extra reference before the call. It will be dropped by
cachefiles_bury_object().

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel the cachefiles subsystem was found to pass a dentry to cachefiles_bury_object() with an incorrect reference count. The function expects two references to the cached object, but due to a missing call to start_removing_dentry() in cachefiles_cull() it received only one. Based on the description, it is inferred that this mismatch can decrement the reference counter incorrectly, leading to a use‑after‑free or memory corruption scenario that could be exploited to execute arbitrary code with kernel privileges.

Affected Systems

The affected product is the Linux kernel; the issue exists in implementations that contain the cachefiles.c code prior to the commit that applied the patch. Specific kernel version numbers are not enumerated in the advisory.

Risk and Exploitability

Based on the description, it is inferred that the vulnerability can lead to kernel‑level code execution through a use‑after‑free, exposing the system to local attackers who can trigger cachefiles_cull() by manipulating cached file objects or by inducing the subsystems to run. No CVSS or EPSS values were provided and the vulnerability is not listed in the CISA KEV catalog, so the exact exploitation probability is uncertain. It is also inferred that the potential impact is high and the attack vector is likely local or requires high privilege.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7bb1eb45e43c4730cbc5a48b9e9295049fccdacb`	affected	< 6577df7dc7a7de128442b6192c7a32195c923480
`7bb1eb45e43c4730cbc5a48b9e9295049fccdacb`	affected	< 1635c2acdde86c4f555b627aec873c8677c421ed

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that contains the patch commit addressing the reference counting bug
Reboot the system after the kernel update so the patched kernel is active
If a patched kernel is not yet available, disable the cachefiles feature by compiling the kernel with CONFIG_CACHEFILES=n or by unmounting file systems that utilize cachefiles
Monitor system logs for cache‑related errors or crashes and apply updates as soon as they become available

Generated by OpenCVE AI on May 6, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed
https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480

History

Wed, 06 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401 CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object().
Title		cachefiles: fix incorrect dentry refcount in cachefiles_cull()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:34.365Z

Updated: 2026-05-06T07:40:34.365Z

Reserved: 2026-05-01T14:12:55.986Z

Link: CVE-2026-43106

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T10:16:24.213

Modified: 2026-05-06T10:16:24.213

Link: CVE-2026-43106

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object