Description
In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix use-after-free in iomap inline data write path

The inline data buffer head (dibh) is being released prematurely in
gfs2_iomap_begin() via release_metapath() while iomap->inline_data
still points to dibh->b_data. This causes a use-after-free when
iomap_write_end_inline() later attempts to write to the inline data
area.

The bug sequence:
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode
metadata into dibh
2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)
3. Calls release_metapath() which calls brelse(dibh), dropping refcount
to 0
4. kswapd reclaims the page (~39ms later in the syzbot report)
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data
6. KASAN detects use-after-free write to freed memory

Fix by storing dibh in iomap->private and incrementing its refcount
with get_bh() in gfs2_iomap_begin(). The buffer is then properly
released in gfs2_iomap_end() after the inline write completes,
ensuring the page stays alive for the entire iomap operation.

Note: A C reproducer is not available for this issue. The fix is based
on analysis of the KASAN report and code review showing the buffer head
is freed before use.

[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid
leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the GFS2 filesystem of the Linux kernel. During inline data writes, the buffer head that holds the inode metadata is released prematurely while the iomap structure still references its data. This results in a use‑after‑free that causes the kernel to copy data into a de‑allocated buffer, leading to kernel memory corruption. If an attacker induces this faulty write path, the corrupted memory could be leveraged to alter kernel objects or execute arbitrary code, potentially elevating privileges.

Affected Systems

Any Linux kernel that implements the unpatched GFS2 inline data write logic is affected. The CVE entry does not specify a version range, so systems running an unpatched kernel that uses GFS2 are at risk. The affected vendor is Linux itself, through the kernel implementation.

Risk and Exploitability

The CVSS score of 7.8 denotes a moderate to high severity, while the EPSS score of < 1% and the absence from the CISA KEV catalog indicate that exploitation is unlikely so far. The likely attack vector requires local filesystem access to trigger the inline write path; this inference is deduced from the description that points to an inline write operation within the GFS2 filesystem. If exploited, the use‑after‑free could permit a local attacker to corrupt kernel memory or achieve privilege escalation.

Generated by OpenCVE AI on June 17, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the fix that stores the buffer head reference and increments its refcount during the inline data write operation.
  • If a kernel upgrade cannot be performed immediately, unmount or disable the GFS2 filesystem on affected hosts to eliminate the vulnerable code path.
  • Watch kernel logs for KASAN, oops, or memory corruption messages that could indicate exploitation attempts, and investigate any anomalies promptly.

Generated by OpenCVE AI on June 17, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-826
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Title gfs2: Fix use-after-free in iomap inline data write path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-30T10:46:25.407Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45984

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:15.640

Modified: 2026-06-16T02:39:00.917

Link: CVE-2026-45984

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:30:15Z

Weaknesses
  • CWE-416

    Use After Free

  • CWE-826

    Premature Release of Resource During Expected Lifetime