7.8
CVE-2026-45984
- EPSS 0.31%
- Veröffentlicht 27.05.2026 12:18:42
- Zuletzt bearbeitet 09.07.2026 13:17:21
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
gfs2: Fix use-after-free in iomap inline data write path
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.2 < 5.10.252
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.202
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.14
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.228 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-826 Premature Release of Resource During Expected Lifetime
The product releases a resource that is still intended to be used by itself or another actor.
https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff
https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142
https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c
https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4
https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d
https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215
https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d
https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321
https://bugzilla.redhat.com/show_bug.cgi?id=2481922
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45984.json
https://access.redhat.com/errata/RHSA-2026:35894
https://access.redhat.com/errata/RHSA-2026:27789
https://access.redhat.com/errata/RHSA-2026:33743
https://access.redhat.com/errata/RHSA-2026:36049
https://access.redhat.com/security/cve/CVE-2026-45984
https://access.redhat.com/errata/RHSA-2026:36767