The vulnerability arises in the ext4 file‑system driver of the Linux kernel. During the execution of ext4_ext_shift_extents(), a NULL extent encountered within a loop causes the function to exit prematurely without freeing a path previously allocated by ext4_find_extent(). This omission produces a memory leak that can accumulate over time, potentially exhausting available memory and leading to a denial‑of‑service condition if the operation is repeated frequently under heavy filesystem activity. The weakness is a memory leak (CWE‑401) and a resource‑management flaw (CWE‑772).

Affects Linux kernels that implement ext4_ext_shift_extents() without the patch, i.e., all Linux distributions shipping the ext4 driver prior to this commit. No specific version numbers are listed, so any kernel whose source tree contains the unpatched code is subject to the leak.

The CVSS score of 5.5 indicates medium impact. The EPSS score of <1% shows a very low probability of exploitation. The issue does not provide direct code execution or data disclosure; it requires triggering ext4 operations that produce the unfreed path. Based on the description, it is inferred that an attacker would need local execution privileges on a node to perform the filesystem actions that provoke the leak. The risk is therefore low to moderate, more significant for systems that ingest large write workloads on ext4, where a cumulative leak could degrade service availability.