gfs2: Fix use-after-free in iomap inline data write path

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-45984
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-27 14:17:15 UTC
Updated2026-05-30 11:17:17 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.024950000 (date 2026-06-02)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1CNADECLARED7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 1403989d1b502f4a2c0d0b42ccf1c25748442eff git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 1cae1bafdf9caa9b462b19af06b1a06902e4e142 git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 764c3c84b5683e608f43735c803a5f415046686c git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 d87268326b277af3665237ac76a73dd9fa8e21b4 git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 87d4954b5c59735a99ea98cb208d47130f6dce7d git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 6d76febba07c40bcf358f63216d36ea68cf1c215 git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 815ddd27c0c7171a99fe802fdb19098ddef8b19d git Not specified
CNA Linux Linux affected d0a22a4b03b8475b7aa3fa41243c26c291407844 faddeb848305e79db89ee0479bb0e33380656321 git Not specified
CNA Linux Linux affected 5.2 Not specified
CNA Linux Linux unaffected 5.2 semver Not specified
CNA Linux Linux unaffected 5.10.252 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.202 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.165 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.128 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.75 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.14 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.4 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report