Description
In the Linux kernel, the following vulnerability has been resolved:

ext4: fix memory leak in ext4_ext_shift_extents()

In ext4_ext_shift_extents(), if the extent is NULL in the while loop, the
function returns immediately without releasing the path obtained via
ext4_find_extent(), leading to a memory leak.

Fix this by jumping to the out label to ensure the path is properly
released.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the ext4 file‑system driver of the Linux kernel. In the function ext4_ext_shift_extents(), when a NULL extent is encountered inside a loop, the function exits without releasing a path that was previously allocated by ext4_find_extent(). This omission causes a memory leak that can grow over time, potentially depleting system memory. The weakness is classified as a memory leak (CWE‑401) and a resource‑management flaw (CWE‑772).

Affected Systems

All Linux kernel versions that implement the ext4_ext_shift_extents() routine without the patch are affected. The vulnerability applies to kernels shipped in Linux distributions prior to the commit that introduced the fix. No specific kernel version numbers are listed, so any kernel source tree containing the unpatched code is subject to the leak.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium impact. The EPSS score of <1% shows a very low probability of exploitation. The issue does not provide direct code execution or data disclosure. Based on the description, it is inferred that an attacker would need local execution privileges on a node to trigger ext4 operations that produce the unfreed path. The risk is therefore low to moderate, with higher concern for systems that perform large write workloads on ext4, where a cumulative leak could accumulate over time.

Generated by OpenCVE AI on June 18, 2026 at 07:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains the ext4_ext_shift_extents memory‑leak fix, such as the latest distribution package or the upstream patch referenced in the advisories.
  • If an update is delayed, monitor memory usage on servers running heavy ext4 workloads and reduce ext4 activity using cgroup limits or throttling to mitigate the accumulated leak.
  • Coordinate with the distribution maintainers to ensure the patched kernel version is distributed and applied during the next maintenance window, thereby permanently eliminating the resource leak.

Generated by OpenCVE AI on June 18, 2026 at 07:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
Ubuntu USN Ubuntu USN USN-8492-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8492-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8497-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8498-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8499-1 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8492-3 Linux kernel (Raspberry Pi Real-time) vulnerabilities
History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:3.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.15:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.15:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.15:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.15:rc8:*:*:*:*:*:*

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_ext_shift_extents() In ext4_ext_shift_extents(), if the extent is NULL in the while loop, the function returns immediately without releasing the path obtained via ext4_find_extent(), leading to a memory leak. Fix this by jumping to the out label to ensure the path is properly released.
Title ext4: fix memory leak in ext4_ext_shift_extents()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:04.937Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45948

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:11.157

Modified: 2026-06-17T10:52:46.703

Link: CVE-2026-45948

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45948 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:45:03Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime