Impact
The vulnerability exists in the ext4 file‑system driver of the Linux kernel. In the function ext4_ext_shift_extents(), when a NULL extent is encountered inside a loop, the function exits without releasing a path that was previously allocated by ext4_find_extent(). This omission causes a memory leak that can grow over time, potentially depleting system memory. The weakness is classified as a memory leak (CWE‑401) and a resource‑management flaw (CWE‑772).
Affected Systems
All Linux kernel versions that implement the ext4_ext_shift_extents() routine without the patch are affected. The vulnerability applies to kernels shipped in Linux distributions prior to the commit that introduced the fix. No specific kernel version numbers are listed, so any kernel source tree containing the unpatched code is subject to the leak.
Risk and Exploitability
The CVSS score of 5.5 indicates a medium impact. The EPSS score of <1% shows a very low probability of exploitation. The issue does not provide direct code execution or data disclosure. Based on the description, it is inferred that an attacker would need local execution privileges on a node to trigger ext4 operations that produce the unfreed path. The risk is therefore low to moderate, with higher concern for systems that perform large write workloads on ext4, where a cumulative leak could accumulate over time.
OpenCVE Enrichment
Debian DLA
Ubuntu USN