CVE-2026-43066 Overview
CVE-2026-43066 is a memory leak vulnerability in the Linux kernel's ext4 filesystem implementation. The flaw resides in the ext4_fc_replay_inode() function, which handles fast commit replay operations during journal recovery. The function calls ext4_get_fc_inode_loc() to retrieve inode location data, acquiring a buffer head reference (iloc.bh) that must be released via brelse(). Several error paths jump to the out label without releasing this reference, leaking buffer head memory on each error condition. The issue was identified during code review by a contributor named Joseph and resolved across multiple stable Linux kernel branches.
Critical Impact
Repeated buffer head leaks during ext4 fast commit replay error conditions can degrade kernel memory availability, potentially leading to resource exhaustion on systems performing frequent journal recovery operations.
Affected Products
- Linux kernel ext4 filesystem subsystem
- Multiple stable kernel branches receiving the backported fix
- Systems using ext4 with the fast commit (fast_commit) feature enabled
Discovery Timeline
- 2026-05-05 - CVE-2026-43066 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43066
Vulnerability Analysis
The vulnerability exists in the ext4 fast commit replay code path. When ext4_fc_replay_inode() is invoked during journal recovery, it calls ext4_get_fc_inode_loc() to obtain the on-disk location of an inode. This call returns a reference to a buffer head structure stored in iloc.bh, which the caller is responsible for releasing.
Four distinct error paths within the function fail to release iloc.bh before exiting:
- ext4_handle_dirty_metadata() failure
- sync_dirty_buffer() failure
- ext4_mark_inode_used() failure
- ext4_iget() failure
Each failed call jumps to the out label, bypassing the required brelse() invocation. Additionally, the function previously returned 0 regardless of internal errors, masking failure conditions from upper layers of the journal replay logic.
Root Cause
The root cause is a missing resource cleanup in error handling paths, classified as a memory leak [CWE-401]. The function lacked a dedicated cleanup label that releases the buffer head before returning. Coupled with improper error propagation, the defect both leaks kernel memory and silently swallows replay failures.
Attack Vector
The vulnerability is triggered locally during ext4 fast commit replay, which occurs after an unclean shutdown or crash on a filesystem mounted with fast commit enabled. Triggering the leak requires specific failures in metadata handling, buffer synchronization, inode marking, or inode retrieval during replay. The flaw does not provide a direct path to code execution or privilege escalation, but repeated triggering can exhaust kernel buffer head allocations.
The upstream patch introduces an out_brelse label placed before the existing out label, ensuring brelse(iloc.bh) runs on every error exit. The fix also propagates errors from ext4_fc_replay_inode() to its callers instead of unconditionally returning 0. Patch details are available in the Linux Kernel Commit f7817ad and related stable backports.
Detection Methods for CVE-2026-43066
Indicators of Compromise
- Growing Buffers value in /proc/meminfo on systems performing repeated ext4 journal replay
- Increasing slab usage for buffer_head entries visible in /proc/slabinfo
- Repeated ext4 fast commit replay errors logged to the kernel ring buffer (dmesg) during mount operations
Detection Strategies
- Monitor kernel version inventories to identify hosts running unpatched kernel branches affected by the listed stable commits
- Track ext4 mount events followed by fast commit replay errors using audit and syslog telemetry
- Correlate slab memory growth with buffer_head allocations on long-running systems mounting ext4 volumes
Monitoring Recommendations
- Enable kernel telemetry collection on Linux hosts and forward dmesg and journal logs to centralized analysis
- Track kmem_cache statistics over time to detect abnormal buffer_head retention
- Alert on repeated unclean ext4 shutdowns that trigger fast commit replay paths
How to Mitigate CVE-2026-43066
Immediate Actions Required
- Apply the upstream Linux kernel patch or update to a stable kernel version that includes the fix from the referenced commits
- Inventory Linux systems using ext4 with fast commit enabled and prioritize patching long-running hosts
- Reboot affected systems after kernel updates to load the patched kernel image
Patch Information
The fix is distributed across multiple stable branches via commits including 0892f12, 19782b4, 5a63033, 9c90449, c426231, ca99cbc, ec0a750, and f7817ad. Distribution vendors typically incorporate these stable patches into their kernel update streams.
Workarounds
- Disable the ext4 fast commit feature on affected volumes by mounting without fast_commit until a patched kernel is deployed
- Ensure clean shutdowns to minimize fast commit replay invocations that exercise the vulnerable code path
- Monitor and reboot systems exhibiting buffer head slab growth before resource exhaustion impacts service availability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
