Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:

- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.

- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.


This patch (of 2):

The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.
Published: 2026-06-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ocfs2/dlm component. The qr_numregions field from a DLM_QUERY_REGION without validation, allowing an attacker to set it up to 255, exceeding the 32‑entry buffer and causing out-of-bounds reads. An off‑by‑one error also reads one element past the valid range. These unchecked reads constitute an out‑of‑bounds read weakness that can leak kernel memory or result in a crash. The weakness is characterized by CWE‑1285.

Affected Systems

All Linux kernel installations that ship the ocfs2 filesystem with the Distributed Lock Manager module are affected, regardless of distribution, provided the patch series is not applied. The CVE description does not specify kernel release, so any kernel version containing the vulnerable ocfs2/dlm code before the patch is at risk.

Risk and Exploitability

The CVSS score is 9.1, indicating high severity, and the EPSS score is reported as <1 %, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a malicious DLM_QUERY_REGION packet sent over the network to the target's DLM service; the DLM. Successful exploitation could read arbitrary kernel memory, leak data, or crash the kernel, causing denial of service. The absence of a high EPSS score and KEV listing suggests limited interest from current threat actors.

Generated by OpenCVE AI on June 28, 2026 at 14:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes the ocfs2/dlm: fix two bugs in dlm_match_regions() patch series to enforce bounds checking of qr_numregions.
  • If updating the kernel is not immediately possible, manually apply the bounds check to qr_numregions and correct the off‑by‑one comparison to use '<' instead of '<=' in dlm_match_regions().
  • Restr reduce exposure to crafted DLM_QUERY_REGION packets.

Generated by OpenCVE AI on June 28, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Fri, 26 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-787

Fri, 26 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops.
Title ocfs2/dlm: validate qr_numregions in dlm_match_regions()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:24.551Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53043

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input