Description
In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix incorrect dentry refcount in cachefiles_cull()

The patch mentioned below changed cachefiles_bury_object() to expect 2
references to the 'rep' dentry. Three of the callers were changed to
use start_removing_dentry() which takes an extra reference so in those
cases the call gets the expected references.

However there is another call to cachefiles_bury_object() in
cachefiles_cull() which did not need to be changed to use
start_removing_dentry() and so was not properly considered.
It still passed the dentry with just one reference so the net result is
that a reference is lost.

To meet the expectations of cachefiles_bury_object(), cachefiles_cull()
must take an extra reference before the call. It will be dropped by
cachefiles_bury_object().
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect reference count in the cachefiles subsystem caused by an oversight in cachefiles_cull() inadvertently releases a dentry reference prematurely. The function cachefiles_bury_object expects two references, but only one is supplied, resulting in a counter that under‑decrements. This under‑decrement can lead to a use‑after‑free or other memory corruption inside the kernel. The vulnerability may allow an attacker able to trigger the faulty cache eviction path to cause a crash or, potentially, execute arbitrary code with kernel privileges.

Affected Systems

The vulnerability impacts Linux kernels that include the cachefiles feature and have not yet incorporated the missing reference added in the patch. No specific kernel version numbers are documented, so any pre‑patched kernel that supports cachefiles qualifies as vulnerable. The affected product is the Linux operating system kernel; all distributions that ship the kernel with active cachefiles support are potentially affected.

Risk and Exploitability

The CVSS score of 7.8 signifies high severity. The EPSS score of <1% indicates a low probability of exploitation in practice. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require local privilege or the ability to influence cache eviction in a filesystem that uses cachefiles, as the flaw is limited to kernel memory handling. No remote exploitation vectors are documented, and the exploitation path requires internal code path within the kernel, making it a local issue.

Generated by OpenCVE AI on May 11, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the cachefiles reference‑count patch
  • Reboot the system to ensure the patched kernel is active
  • If a kernel upgrade is not feasible, disable cachefiles support by setting CONFIG_CACHEFILES=n during compilation or unmounting any filesystems that rely on cachefiles

Generated by OpenCVE AI on May 11, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object().
Title cachefiles: fix incorrect dentry refcount in cachefiles_cull()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:50.991Z

Reserved: 2026-05-01T14:12:55.986Z

Link: CVE-2026-43106

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:24.213

Modified: 2026-05-11T17:31:12.830

Link: CVE-2026-43106

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43106 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses