HIGH
afs MmapPrepare Leak
CVE-2026-46100
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: fs: afs: revert mmap_prepare() change Partially reverts commit 9d5403b1036c ("fs: convert most other generic_file_*mmap() users to .mmap_prepare()"). This is because the .mmap invocation establishes a refcount, but .mmap_prepare is called at a point where a merge or an allocation failure might happen after the call, which would leak the refcount increment. Functionality is being added to permit the use of .mmap_prepare in this case, but in the interim, we need to fix this.
02KernelScan AI Analysis
Risk summary
Local users with access to AFS files can cause reference count leaks in the AFS filesystem by triggering memory mapping failures or merges. This leads to resource exhaustion and denial of service through accumulated leaked references that prevent proper cleanup of AFS vnodes.
Vulnerability analysis
The vulnerability stems from improper use of the .mmap_prepare() callback in the AFS filesystem. The original .mmap() callback established a reference count and handled cleanup on failure, but .mmap_prepare() is called earlier in the VMA creation process where subsequent allocation failures or VMA merges can occur after the refcount increment. When these post-prepare failures happen, the refcount increment from afs_add_open_mmap() is never balanced by afs_drop_open_mmap(), causing a permanent leak. The fix reverts to the original .mmap() callback which ensures proper cleanup timing and prevents the leak condition.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.27 | f51f85c04480 |
| 7.0 | 7.0.4 | 48c7a0eaeea4 |
| mainline | 7.1-rc1 | fbfc6578eaca |