CVE-2026-43106

EUVD-2026-27622

06.05.2026, 10:16

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix incorrect dentry refcount in cachefiles_cull()

The patch mentioned below changed cachefiles_bury_object() to expect 2
references to the 'rep' dentry.  Three of the callers were changed to
use start_removing_dentry() which takes an extra reference so in those
cases the call gets the expected references.

However there is another call to cachefiles_bury_object() in
cachefiles_cull() which did not need to be changed to use
start_removing_dentry() and so was not properly considered.
It still passed the dentry with just one reference so the net result is
that a reference is lost.

To meet the expectations of cachefiles_bury_object(), cachefiles_cull()
must take an extra reference before the call.  It will be dropped by
cachefiles_bury_object().

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.170-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-3 fixed
forky	6.19.14-1 fixed
sid	7.0.3-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.85-1 fixed

References

https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed

https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480