ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Summary
| CVE | CVE-2026-53043 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:16 UTC |
| Updated | 2026-07-14 19:27:29 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS: 0.005210000 probability, percentile 0.405820000 (date 2026-07-13)
Problem Types: CWE-787
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | CNA | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 d3d5efade0c79dac1cac98c0cb1115432f804439 git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 f69551139caf6d24242a0ad049ee46b264e3aee0 git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 1f8b91275912cd428289c1fb424bebd7ff5302bd git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 f37de46149db49abd2b24f4f0c5a88cf4dfb5f47 git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 6c6e8fc3c007319981647b410c29bb5775048551 git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 3f474c33ebc2e2ca3fcb587d7de4375348f13373 git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21 git | Not specified |
| CNA | Linux | Linux | affected ea2034416b54700e30371f2ad6517cbb94674083 7ab3fbb01bc6d79091bc375e5235d360cd9b78be git | Not specified |
| CNA | Linux | Linux | affected 2.6.37 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.37 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/d3d5efade0c79dac1cac98c0cb1115432f804439 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3f474c33ebc2e2ca3fcb587d7de4375348f13373 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/1f8b91275912cd428289c1fb424bebd7ff5302bd | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f69551139caf6d24242a0ad049ee46b264e3aee0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f37de46149db49abd2b24f4f0c5a88cf4dfb5f47 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/7ab3fbb01bc6d79091bc375e5235d360cd9b78be | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/6c6e8fc3c007319981647b410c29bb5775048551 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.