CVE-2026-31597

EPSS 0.01%
Veröffentlicht 24.04.2026 14:42:22
Zuletzt bearbeitet 29.04.2026 14:15:58
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving ip_blkno as a plain integer before calling
filemap_fault(), and removing vma from the trace event. Since
ip_blkno is copied by value before the lock can be dropped, it
remains valid regardless of what happens to the vma or inode
afterward.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 5 VulnDex Vulnerability Enrichment 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.39 < 6.6.136

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.83

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14

Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d

Patch

https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2

Patch

https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0

Patch

https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2

Patch

https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921

Patch

https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006

Patch