In the Linux kernel, the following vulnerability has been resolved:

ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()

The commit c8e008b60492 ("ext4: ignore xattrs past end")
introduced a refcount leak in when block_csum is false.

ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to
get iloc.bh, but never releases it with brelse().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
362a90cecd36e8a5c415966d0b75b04a0270e4dd affected < 1bc1107a3a403a6d440673ed6666f7b07ef868a8
eb59cc31b6ea076021d14b04e7faab1636b87d0e affected < 097227f1ffe1a85bc3c359f81c71e3d40e06e920
c8e008b60492cf6fd31ef127aea6d02fd3d314cd affected < 1e6b0a69bf2c9c819255c7566e4355536d81d9cf
c8e008b60492cf6fd31ef127aea6d02fd3d314cd affected < f072906688933bf47fabbaf63560be03357c8298
c8e008b60492cf6fd31ef127aea6d02fd3d314cd affected < 77d059519382bd66283e6a4e83ee186e87e7708f
6aff941cb0f7d0c897c3698ad2e30672709135e3 affected
76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 affected
f737418b6de31c962c7192777ee4018906975383 affected
cf9291a3449b04688b81e32621e88de8f4314b54 affected
3bc6317033f365ce578eb6039445fb66162722fd affected
836e625b03a666cf93ff5be328c8cb30336db872 affected
6.6.88 affected < 6.6.140
6.12.24 affected < 6.12.86
5.4.293 affected < 5.5
5.10.237 affected < 5.11
5.15.181 affected < 5.16
6.1.135 affected < 6.2
6.13.12 affected < 6.14
6.14.3 affected < 6.15
Linux Linux affected
Version Status Constraints
6.15 affected
0 unaffected < 6.15
6.6.140 unaffected ≤ 6.6.*
6.12.86 unaffected ≤ 6.12.*
6.18.27 unaffected ≤ 6.18.*
7.0.4 unaffected ≤ 7.0.*
7.1-rc1 unaffected ≤ *

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/097227f1ffe1a85bc3c359f81c71e3d40e06e920 cve-icon cve-icon
https://git.kernel.org/stable/c/1bc1107a3a403a6d440673ed6666f7b07ef868a8 cve-icon cve-icon
https://git.kernel.org/stable/c/1e6b0a69bf2c9c819255c7566e4355536d81d9cf cve-icon cve-icon
https://git.kernel.org/stable/c/77d059519382bd66283e6a4e83ee186e87e7708f cve-icon cve-icon
https://git.kernel.org/stable/c/f072906688933bf47fabbaf63560be03357c8298 cve-icon cve-icon
History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() The commit c8e008b60492 ("ext4: ignore xattrs past end") introduced a refcount leak in when block_csum is false. ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to get iloc.bh, but never releases it with brelse().
Title ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:02.610Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46046

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:24.083

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.