7.8
CVE-2026-31597
- EPSS 0.13%
- Veröffentlicht 24.04.2026 14:42:22
- Zuletzt bearbeitet 01.06.2026 17:16:50
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.39 < 6.6.136
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.83
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14
Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.027 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d
https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2
https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0
https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2
https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921
https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006
https://git.kernel.org/stable/c/35c2c05261d6f6d84aaa1355afa201d507943e76
https://git.kernel.org/stable/c/36539c4d536f851a3b346a6ebb27b51bc3d77a94
https://git.kernel.org/stable/c/3f5e74b5db9353b01ed50f4de84e75b755f8fbc2