{"api_version":"1","generated_at":"2026-05-31T10:36:54+00:00","cve":"CVE-2026-45961","urls":{"html":"https://cve.report/CVE-2026-45961","api":"https://cve.report/api/cve/CVE-2026-45961.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45961","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45961"},"summary":{"title":"gfs2: fix memory leaks in gfs2_fill_super error path","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix memory leaks in gfs2_fill_super error path\n\nFix two memory leaks in the gfs2_fill_super() error handling path when\ntransitioning a filesystem to read-write mode fails.\n\nFirst leak: kthread objects (thread_struct, task_struct, etc.)\nWhen gfs2_freeze_lock_shared() fails after init_threads() succeeds, the\ncreated kernel threads (logd and quotad) are never destroyed. This\noccurs because the fail_per_node label doesn't call\ngfs2_destroy_threads().\n\nSecond leak: quota bitmap buffer (8192 bytes)\nWhen gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but\nbefore other operations complete, the allocated quota bitmap is never\nfreed.\n\nThe fix moves thread cleanup to the fail_per_node label to handle all\nerror paths uniformly. gfs2_destroy_threads() is safe to call\nunconditionally as it checks for NULL pointers. Quota cleanup is added\nin gfs2_make_fs_rw() to properly handle the withdrawal case where\nquota initialization succeeds but the filesystem is then withdrawn.\n\nThread leak backtrace (gfs2_freeze_lock_shared failure):\n  unreferenced object 0xffff88801d7bca80 (size 4480):\n    copy_process+0x3a1/0x4670 kernel/fork.c:2422\n    kernel_clone+0xf3/0x6e0 kernel/fork.c:2779\n    kthread_create_on_node+0x100/0x150 kernel/kthread.c:478\n    init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611\n    gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265\n\nQuota leak backtrace (gfs2_make_fs_rw failure):\n  unreferenced object 0xffff88812de7c000 (size 8192):\n    gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409\n    gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149\n    gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:12","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102","name":"https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c","name":"https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45961","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45961","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b66f723bb552ad59c2acb5d45ea45c890f84498b e54229ecf49add8451d5f765a32c86ab4446e06c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b66f723bb552ad59c2acb5d45ea45c890f84498b da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2f8623377f3e0cfaa80558631b8694d02a492b4c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c713ebf2fe3f469e4af4de60a3427689ffb7c5d7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c2191e507147b1a22e9170ebb2aaa0f2902fcbfa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9fc32dad3cdba18669c71893f3e6d96905b39b3f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.10.173 5.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.15.99 5.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.16 6.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.2.3 6.3 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.3","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.3 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45961","cve":"CVE-2026-45961","epss":"0.000180000","percentile":"0.053270000","score_date":"2026-05-30","updated_at":"2026-05-31 00:14:03"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/gfs2/ops_fstype.c","fs/gfs2/super.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"e54229ecf49add8451d5f765a32c86ab4446e06c","status":"affected","version":"b66f723bb552ad59c2acb5d45ea45c890f84498b","versionType":"git"},{"lessThan":"da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102","status":"affected","version":"b66f723bb552ad59c2acb5d45ea45c890f84498b","versionType":"git"},{"status":"affected","version":"2f8623377f3e0cfaa80558631b8694d02a492b4c","versionType":"git"},{"status":"affected","version":"c713ebf2fe3f469e4af4de60a3427689ffb7c5d7","versionType":"git"},{"status":"affected","version":"c2191e507147b1a22e9170ebb2aaa0f2902fcbfa","versionType":"git"},{"status":"affected","version":"9fc32dad3cdba18669c71893f3e6d96905b39b3f","versionType":"git"},{"lessThan":"5.11","status":"affected","version":"5.10.173","versionType":"semver"},{"lessThan":"5.16","status":"affected","version":"5.15.99","versionType":"semver"},{"lessThan":"6.2","status":"affected","version":"6.1.16","versionType":"semver"},{"lessThan":"6.3","status":"affected","version":"6.2.3","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/gfs2/ops_fstype.c","fs/gfs2/super.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.3"},{"lessThan":"6.3","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"6.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.173","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.99","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.3","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix memory leaks in gfs2_fill_super error path\n\nFix two memory leaks in the gfs2_fill_super() error handling path when\ntransitioning a filesystem to read-write mode fails.\n\nFirst leak: kthread objects (thread_struct, task_struct, etc.)\nWhen gfs2_freeze_lock_shared() fails after init_threads() succeeds, the\ncreated kernel threads (logd and quotad) are never destroyed. This\noccurs because the fail_per_node label doesn't call\ngfs2_destroy_threads().\n\nSecond leak: quota bitmap buffer (8192 bytes)\nWhen gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but\nbefore other operations complete, the allocated quota bitmap is never\nfreed.\n\nThe fix moves thread cleanup to the fail_per_node label to handle all\nerror paths uniformly. gfs2_destroy_threads() is safe to call\nunconditionally as it checks for NULL pointers. Quota cleanup is added\nin gfs2_make_fs_rw() to properly handle the withdrawal case where\nquota initialization succeeds but the filesystem is then withdrawn.\n\nThread leak backtrace (gfs2_freeze_lock_shared failure):\n  unreferenced object 0xffff88801d7bca80 (size 4480):\n    copy_process+0x3a1/0x4670 kernel/fork.c:2422\n    kernel_clone+0xf3/0x6e0 kernel/fork.c:2779\n    kthread_create_on_node+0x100/0x150 kernel/kthread.c:478\n    init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611\n    gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265\n\nQuota leak backtrace (gfs2_make_fs_rw failure):\n  unreferenced object 0xffff88812de7c000 (size 8192):\n    gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409\n    gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149\n    gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275"}],"providerMetadata":{"dateUpdated":"2026-05-27T12:18:17.637Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c"},{"url":"https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102"}],"title":"gfs2: fix memory leaks in gfs2_fill_super error path","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45961","datePublished":"2026-05-27T12:18:17.637Z","dateReserved":"2026-05-13T15:03:33.089Z","dateUpdated":"2026-05-27T12:18:17.637Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:12","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45961","Ordinal":"1","Title":"gfs2: fix memory leaks in gfs2_fill_super error path","CVE":"CVE-2026-45961","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45961","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix memory leaks in gfs2_fill_super error path\n\nFix two memory leaks in the gfs2_fill_super() error handling path when\ntransitioning a filesystem to read-write mode fails.\n\nFirst leak: kthread objects (thread_struct, task_struct, etc.)\nWhen gfs2_freeze_lock_shared() fails after init_threads() succeeds, the\ncreated kernel threads (logd and quotad) are never destroyed. This\noccurs because the fail_per_node label doesn't call\ngfs2_destroy_threads().\n\nSecond leak: quota bitmap buffer (8192 bytes)\nWhen gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but\nbefore other operations complete, the allocated quota bitmap is never\nfreed.\n\nThe fix moves thread cleanup to the fail_per_node label to handle all\nerror paths uniformly. gfs2_destroy_threads() is safe to call\nunconditionally as it checks for NULL pointers. Quota cleanup is added\nin gfs2_make_fs_rw() to properly handle the withdrawal case where\nquota initialization succeeds but the filesystem is then withdrawn.\n\nThread leak backtrace (gfs2_freeze_lock_shared failure):\n  unreferenced object 0xffff88801d7bca80 (size 4480):\n    copy_process+0x3a1/0x4670 kernel/fork.c:2422\n    kernel_clone+0xf3/0x6e0 kernel/fork.c:2779\n    kthread_create_on_node+0x100/0x150 kernel/kthread.c:478\n    init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611\n    gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265\n\nQuota leak backtrace (gfs2_make_fs_rw failure):\n  unreferenced object 0xffff88812de7c000 (size 8192):\n    gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409\n    gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149\n    gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275","Type":"Description","Title":"gfs2: fix memory leaks in gfs2_fill_super error path"}]}}}