CVE-2026-45861 - Vulnerability Details

- gfs2: Fix slab-use-after-free in qd_put

Description

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix slab-use-after-free in qd_put

Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously")
started freeing quota data objects during filesystem shutdown instead of
putting them back onto the LRU list, but it failed to remove these
objects from the LRU list, causing LRU list corruption. This caused
use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access
already-freed objects on the LRU list.

Fix this by removing qd objects from the LRU list before freeing them in
qd_put().

Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a slab-use-after-free bug in the GFS2 filesystem’s quota data handling. The flaw occurs when the qd_put() routine removes quota data objects from the LRU list without fully unlinking them, leading to LRU list corruption. During a filesystem shutdown, the shrinker gfs2_qd_shrink_scan may later attempt to access these freed objects, causing a use-after‑free that can result in arbitrary kernel memory corruption or execution of arbitrary code. If exploited, an attacker could gain root privileges on the affected system.

Affected Systems

The vulnerability affects any Linux kernel that includes the GFS2 filesystem and does not yet contain the fix found in commit a475c5dd16e5. This includes a wide range of distributions that ship their own kernel builds, as well as systems compiled from source without the patch. The vendor list indicates Linux:Linux for the affected product. Without explicit version bounds, any kernel version prior to the hotfix is potentially susceptible.

Risk and Exploitability

Because CVSS and EPSS metrics are not available, the precise exploitation probability is unknown. The bug manifests during a filesystem shutdown and may require local access or a crafted GFS2 volume to trigger, but kernel memory corruption could ultimately enable arbitrary code execution and privilege escalation. The vulnerability is not listed in the CISA KEV catalog, and no public exploit is known, yet the risk of local elevation remains high and should be addressed promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a475c5dd16e57c570113eccba51955b5df8bb052`	affected	< ca7c67bdd293089b3483f18886d6b2d0037d2ad9
`a475c5dd16e57c570113eccba51955b5df8bb052`	affected	< 1d47922b98046b8070a77347fb883a6523792803
`a475c5dd16e57c570113eccba51955b5df8bb052`	affected	< 80fff26d7a0c3926b511661c27eecc811a420eef
`a475c5dd16e57c570113eccba51955b5df8bb052`	affected	< 22150a7d401d9e9169b9b68e05bed95f7f49bf69

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a475c5dd16e57c570113eccba51955b5df8bb052,ca7c67bdd293089b3483f18886d6b2d0037d2ad9)`	affected	code_commit	—
`[a475c5dd16e57c570113eccba51955b5df8bb052,1d47922b98046b8070a77347fb883a6523792803)`	affected	code_commit	—
`[a475c5dd16e57c570113eccba51955b5df8bb052,80fff26d7a0c3926b511661c27eecc811a420eef)`	affected	code_commit	—
`[a475c5dd16e57c570113eccba51955b5df8bb052,22150a7d401d9e9169b9b68e05bed95f7f49bf69)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	generic	—
`[0,6.6)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that incorporates commit a475c5dd16e5. The patch removes qd objects from the LRU list before freeing them, eliminating the use‑after‑free.
Reboot the system after updating the kernel to load the patched version.
If the GFS2 filesystem is unnecessary, unmount all GFS2 volumes and disable GFS2 or quota support to remove the attack surface.
As a temporary measure, monitor kernel logs for any OOM or crash events related to GFS2 before the patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1d47922b98046b8070a77347fb883a6523792803
https://git.kernel.org/stable/c/22150a7d401d9e9169b9b68e05bed95f7f49bf69
https://git.kernel.org/stable/c/80fff26d7a0c3926b511661c27eecc811a420eef
https://git.kernel.org/stable/c/ca7c67bdd293089b3483f18886d6b2d0037d2ad9

History

Wed, 27 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed to remove these objects from the LRU list, causing LRU list corruption. This caused use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access already-freed objects on the LRU list. Fix this by removing qd objects from the LRU list before freeing them in qd_put(). Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>.
Title		gfs2: Fix slab-use-after-free in qd_put
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1d47922b98046b8070a77347fb883a6523792803 https://git.kernel.org/stable/c/22150a7d401d9e9169b9b68e05bed95f7f49bf69 https://git.kernel.org/stable/c/80fff26d7a0c3926b511661c27eecc811a420eef https://git.kernel.org/stable/c/ca7c67bdd293089b3483f18886d6b2d0037d2ad9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:15:41.057Z

Updated: 2026-05-27T12:15:41.057Z

Reserved: 2026-05-13T15:03:33.080Z

Link: CVE-2026-45861

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:58.323

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45861

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object