Impact
The flaw resides in the Linux kernel’s blkcg_maybe_throttle_current() function, where a missing put_disk() call on the error path prevents the release of a disk reference that was previously acquired by the blkcg_schedule_throttle() routine. As a result, the disk reference count is never decremented when a block‑cgroup lookup fails, causing the disk object to remain allocated indefinitely. This resource leak has the potential to exhaust kernel memory or degrade disk performance over time.
Affected Systems
All Linux kernels that include the buggy blkcg_maybe_throttle_current() logic are potentially impacted. The CNA affected‑vendor record lists the Linux kernel generically, and no specific version or patch level is indicated, so any system running a kernel version before the fix commit may be at risk.
Risk and Exploitability
The reported CVSS score is 5.5, indicating a medium severity vulnerability. EPSS information is unavailable, and the issue does not appear in the CISA KEV catalog, so the likelihood of exploitation is unknown. Because the defect lies in kernel code, an attacker would need privileged or kernel‑level access or an additional vulnerability to trigger the fault path. This inference is based on the kernel location of the bug and is not explicitly stated in the advisory.
OpenCVE Enrichment