A defect in the Linux kernel’s ext4 filesystem code causes the function ext4_xattr_inode_dec_ref_all() to acquire a buffer head through ext4_get_inode_loc() but never release it with brelse(), creating a reference‑count leak. Over time the unreleased buffer heads accumulate, depleting kernel memory and potentially leading to a denial‑of‑service or system instability. The primary impact is thus resource exhaustion at the kernel level.

All systems running a Linux kernel that predates the commit c8e008b60492 are susceptible. The commit was added to the ext4 subsystem to ignore extended attributes past the end and inadvertently introduced the leak when block checksumming is disabled. Any Linux distribution or custom kernel that has not applied the fix is exposed until the kernel is updated.

No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread exploits have been observed. The CVSS score of 5.5 reflects moderate severity. The likely attack vector is local: an attacker must perform filesystem operations that invoke ext4_xattr_inode_dec_ref_all(), which typically occurs during normal file or extended attribute manipulation. Based on the description, it is inferred that the attacker needs sufficient privileges to repeatedly access the affected filesystem to trigger the leak; however, the lack of public exploits and the local nature of the attack lower the immediate exploitation likelihood. Nevertheless, the potential for a denial‑of‑service warrants prompt remediation.