Description
In the Linux kernel, the following vulnerability has been resolved:

gfs2: add some missing log locking

Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(),
gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock,
but these functions require exclusion against concurrent transactions.

To fix that, add a non-locking __gfs2_log_flush() function. Then, in
gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log
flushing functions and __gfs2_log_flush().
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s gfs2 filesystem contains a race condition in the gfs2_logd routine. Without holding the sdp->sd_log_flush_lock, log‑flushing helpers can be entered concurrently, violating the required mutual exclusion and potentially leading to inconsistent log state. This weakness is identified as improper exclusion of a critical resource (CWE‑414).

Affected Systems

All Linux kernel releases that include the gfs2 filesystem are affected until the fix from the listed kernel commits is applied. No specific version range is supplied, so any kernel that compiles gfs2 without the patch remains vulnerable.

Risk and Exploitability

The CVSS score of 9.8 marks the issue as extremely severe, but the EPSS score of less than 1% indicates a low probability of active exploitation. The flaw resides in kernel space, so an attacker would need to achieve kernel‑level execution or inject malicious code that triggers gfs2_logd during concurrent transactions. Based on the description, it is inferred that the primary attack vector would be local privilege escalation or a malicious module that exercises the race condition while other gfs2 operations are underway. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 28, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds the missing sdp->sd_log_flush_lock around gfs2_logd and related functions, as referenced in the linked commits.
  • Rebuild and install the updated kernel on all affected hosts to replace the vulnerable code.
  • If the gfs2 filesystem is not required by your workloads, disable or remove it from the kernel configuration to eliminate the attack surface.

Generated by OpenCVE AI on June 28, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-488

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-414
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-488

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gfs2: add some missing log locking Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(), gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock, but these functions require exclusion against concurrent transactions. To fix that, add a non-locking __gfs2_log_flush() function. Then, in gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log flushing functions and __gfs2_log_flush().
Title gfs2: add some missing log locking
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:35.320Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53049

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53049 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses