2466988 – (CVE-2026-43106) CVE-2026-43106 kernel: cachefiles: fix incorrect dentry refcount in cachefiles_cull()

Bug 2466988 (CVE-2026-43106) - CVE-2026-43106 kernel: cachefiles: fix incorrect dentry refcount in cachefiles_cull()

Summary: CVE-2026-43106 kernel: cachefiles: fix incorrect dentry refcount in cachefile...

Keywords:
Status:	NEW
Alias:	CVE-2026-43106
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-06 10:02 UTC by OSIDB Bzimport
Modified:	2026-05-06 15:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-06 10:02:00 UTC

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix incorrect dentry refcount in cachefiles_cull()

The patch mentioned below changed cachefiles_bury_object() to expect 2
references to the 'rep' dentry.  Three of the callers were changed to
use start_removing_dentry() which takes an extra reference so in those
cases the call gets the expected references.

However there is another call to cachefiles_bury_object() in
cachefiles_cull() which did not need to be changed to use
start_removing_dentry() and so was not properly considered.
It still passed the dentry with just one reference so the net result is
that a reference is lost.

To meet the expectations of cachefiles_bury_object(), cachefiles_cull()
must take an extra reference before the call.  It will be dropped by
cachefiles_bury_object().

Comment 1 Alexander B 2026-05-06 15:02:58 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050623-CVE-2026-43106-df89@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.