Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving ip_blkno as a plain integer before calling
filemap_fault(), and removing vma from the trace event. Since
ip_blkno is copied by value before the lock can be dropped, it
remains valid regardless of what happens to the vma or inode
afterward.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s OCFS2 file system contained a use‑after‑free in the ocfs2_fault() routine when a VM_FAULT_RETRY occurs. A concurrent munmap() can free the associated vm_area_struct while ocfs2_fault still holds a reference to it, causing a dangling pointer dereference during subsequent trace_ocfs2_fault() execution. This memory corruption can be leveraged by an attacker to execute arbitrary code with kernel privileges, thereby escalating privileges to root.

Affected Systems

All Linux kernel installations that include the OCFS2 file system are potentially affected; no specific kernel version range is provided, so any release prior to the inclusion of the described patch is at risk. Deployments using OCFS2 on any Linux distribution should be considered vulnerable until the kernel is updated.

Risk and Exploitability

The flaw receives a CVSS score of 7.8, indicating high severity. The EPSS score of < 1% suggests that current exploitation likelihood is low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring an attacker to trigger the fault path within the kernel, typically by provoking concurrent munmap and fault operations on an OCFS2 mounted volume.

Generated by OpenCVE AI on April 29, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the ocfs2 use‑after‑free fix, such as any kernel built after the commit that saved ip_blkno as an integer before filemap_fault().
  • During the upgrade, ensure all OCFS2 volumes are unmounted or remounted read‑only to avoid exercising the fault path while the system is in transition.
  • Reboot the machine (or reload the kernel module) to load the updated kernel and confirm that OCFS2 faults no longer occur.

Generated by OpenCVE AI on April 29, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 29 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
Title ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:52.105Z

Reserved: 2026-03-09T15:48:24.121Z

Link: CVE-2026-31597

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:37.457

Modified: 2026-04-29T14:15:58.007

Link: CVE-2026-31597

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31597 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses