Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:

- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.

- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.


This patch (of 2):

The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s ocfs2/dlm component, where the field qr_numregions from a DLM_QUERY_REGION network message is used directly as a loop bound without verifying it against the maximum allowed value. A crafted message can set qr_numregions to any value up to 255, which exceeds the 32‑entry buffer of qr_regions and causes the kernel to perform out‑of‑bounds reads. The off‑by‑one error in a comparison loop exacerbates the issue by reading an additional entry even when qr_numregions is within bounds. These unchecked reads can leak kernel memory contents to a remote attacker or trigger a crash, compromising confidentiality and availability.

Affected Systems

All Linux distributions that ship the ocfs2 filesystem with the Distributed Lock Manager (dlm) component are affected, regardless of the specific kernel release. The vulnerability does not list particular kernel versions, so any installation that incorporates the ocfs2/dlm module and has not been updated with the patch series can be vulnerable.

Risk and Exploitability

No CVSS or EPSS score is publicly available, and the vulnerability is not currently listed in the CISA KEV catalog. The most likely attack vector is a remote attacker sending a malicious DLM_QUERY_REGION packet to a machine running the ocfs2/dlm service. Because the fault manifests as unchecked memory access, exploitation is relatively straightforward for an attacker with networking access to the service, potentially yielding information disclosure or denial of service. The severity is mitigated only by applying the code changes that enforce bounds checking.

Generated by OpenCVE AI on June 24, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the "ocfs2/dlm: fix two bugs in dlm_match_regions()" patch series
  • If an update is unavailable, manually patch the kernel sources with the provided series and rebuild the kernel or module
  • Configure firewall or network controls to restrict untrusted traffic from reaching the DLM services to reduce exposure to crafted packets

Generated by OpenCVE AI on June 24, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops.
Title ocfs2/dlm: validate qr_numregions in dlm_match_regions()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:49.480Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53043

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses