CVE-2026-45984
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-416
Utilización después de liberación
Fecha de publicación:
27/05/2026
Última modificación:
01/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
gfs2: Fix use-after-free in iomap inline data write path<br />
<br />
The inline data buffer head (dibh) is being released prematurely in<br />
gfs2_iomap_begin() via release_metapath() while iomap->inline_data<br />
still points to dibh->b_data. This causes a use-after-free when<br />
iomap_write_end_inline() later attempts to write to the inline data<br />
area.<br />
<br />
The bug sequence:<br />
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode<br />
metadata into dibh<br />
2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)<br />
3. Calls release_metapath() which calls brelse(dibh), dropping refcount<br />
to 0<br />
4. kswapd reclaims the page (~39ms later in the syzbot report)<br />
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data<br />
6. KASAN detects use-after-free write to freed memory<br />
<br />
Fix by storing dibh in iomap->private and incrementing its refcount<br />
with get_bh() in gfs2_iomap_begin(). The buffer is then properly<br />
released in gfs2_iomap_end() after the inline write completes,<br />
ensuring the page stays alive for the entire iomap operation.<br />
<br />
Note: A C reproducer is not available for this issue. The fix is based<br />
on analysis of the KASAN report and code review showing the buffer head<br />
is freed before use.<br />
<br />
[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid<br />
leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.2 (incluyendo) | 5.10.252 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.202 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.165 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.128 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff
- https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142
- https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215
- https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c
- https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d
- https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d
- https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4
- https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321
- https://access.redhat.com/errata/RHSA-2026:27789
- https://access.redhat.com/errata/RHSA-2026:33743
- https://access.redhat.com/security/cve/CVE-2026-45984
- https://bugzilla.redhat.com/show_bug.cgi?id=2481922
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45984.json



