The flaw originates from a missing fs_put_dax() call in the error handling path of xfs_alloc_buftarg(). The missing release of the DAX device reference causes a persistent resource hold, which can accumulate over time and exhaust the kernel’s reference count or memory space associated with direct‑access devices. While it does not expose data directly, the accumulation can degrade or halt system responsiveness, effectively creating a denial‑of‑service condition. The CVE description does not provide an explicit attack vector; it is inferred that an attacker must trigger the error path repeatedly, for example by performing numerous XFS operations that provoke allocation failures or by manipulating the filesystem in a way that causes errors. No network‑based attack is described, and only local privilege or the ability to repeatedly induce errors can lead to exploitation.

Any Linux kernel build that predates the inclusion of the commit identified by 28a6c132b8c6e5eeefa889c4fb43d65b12989d48 is affected. That includes all distributions that ship kernels without this patch. The CNA listing simply notes "Linux:Linux" for affected products.

The CVSS score of 5.5 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Because the defect is confined to kernel operations and requires the ability to repeatedly trigger the error path, exploitation is limited to locally privileged users or those who can influence XFS usage. The primary risk is availability: as the resource leak grows, system performance may degrade or the kernel may become unresponsive. Confidentiality and integrity risks are low, given the absence of data disclosure or modification paths.