The vulnerability lies in the ext4 file system driver of the Linux kernel. When the ext4_ext_shift_extents() function encounters a NULL extent in its loop, it exits immediately without releasing a previously allocated path obtained via ext4_find_extent(). This missing release causes a memory leak that can accumulate over time, reducing available memory and potentially leading to a denial‑of‑service situation if the leak is repeated frequently during heavy file‑system activity. The weakness is a resource‑management flaw that does not directly provide code execution, authentication bypass, or data disclosure.

This issue affects the Linux kernel’s ext4 file system. No specific kernel versions are listed in the data, but the problem exists in any kernel that implements the ext4_ext_shift_extents() function prior to the patch. The vulnerability is therefore relevant to all Linux distributions that ship the ext4 driver without applying the fix.

The CVSS score is not supplied, and the EPSS score is unavailable, indicating that the risk is not quantified by current metrics. The vulnerability is not listed in CISA KEV, suggesting it has not been widely exploited in the public domain. Because this is an internal resource‑management bug, it is likely only exploitable by users with local privileges or processes that trigger intensive ext4 operations. The exploitability is considered low, but for systems that demand high reliability—especially those writing large amounts of data to ext4—monitoring memory usage and applying the patch is prudent.