HIGH Published 2026-05-06

cachefiles Dentry Leak

CVE-2026-43106

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.1MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local users with low privileges can trigger a use-after-free in the cachefiles subsystem via a missing dentry reference count increment in cachefiles_cull(). The missing dget() causes cachefiles_bury_object() to drop the sole reference, after which cachefiles_cull() performs a second dput() on the freed dentry. This results in kernel memory corruption and a subsequent kernel panic or system crash.

Affectedfs/cachefiles/namei.c (cachefiles)

Vulnerability analysis

The root cause is a reference counting mismatch introduced when cachefiles_bury_object() was modified to expect two references to the victim dentry and drop one. The cachefiles_cull() caller was not updated to provide the extra reference. Because cachefiles_cull() already held only one reference and calls dput() after cachefiles_bury_object(), the net result is that the dentry is freed by cachefiles_bury_object() and then use-after-freed by the subsequent dput() in cachefiles_cull(). The fix adds a dget() before the call to ensure the expected reference count. This is a use-after-free on a slab-allocated dentry object: the second dput() writes to freed memory, corrupting the lockref of whatever object occupies that memory next, and reliably causes a kernel crash.

03Fix Versions

Branch	Fixed in	Patch commit
6.19	6.19.14	`6577df7dc7a7`
mainline	7.0	`1635c2acdde8`