Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-45984— gfs2: Fix use-after-free in iomap inline data write path

CVSS 7.8 · High EPSS 0.01% · P2

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinuxd0a22a4b03b8475b7aa3fa41243c26c291407844< 1403989d1b502f4a2c0d0b42ccf1c25748442effaffected
d0a22a4b03b8475b7aa3fa41243c26c291407844< 1cae1bafdf9caa9b462b19af06b1a06902e4e142affected
d0a22a4b03b8475b7aa3fa41243c26c291407844< 764c3c84b5683e608f43735c803a5f415046686caffected
d0a22a4b03b8475b7aa3fa41243c26c291407844< d87268326b277af3665237ac76a73dd9fa8e21b4affected
d0a22a4b03b8475b7aa3fa41243c26c291407844< 87d4954b5c59735a99ea98cb208d47130f6dce7daffected
d0a22a4b03b8475b7aa3fa41243c26c291407844< 6d76febba07c40bcf358f63216d36ea68cf1c215affected
d0a22a4b03b8475b7aa3fa41243c26c291407844< 815ddd27c0c7171a99fe802fdb19098ddef8b19daffected
d0a22a4b03b8475b7aa3fa41243c26c291407844< faddeb848305e79db89ee0479bb0e33380656321affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-45984

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
gfs2: Fix use-after-free in iomap inline data write path
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于gfs2在iomap内联数据写入路径中过早释放内联数据缓冲区头,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d0a22a4b03b8475b7aa3fa41243c26c291407844 ~ 1403989d1b502f4a2c0d0b42ccf1c25748442eff -
LinuxLinux 5.2 -

II. Public POCs for CVE-2026-45984

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-45984

登录查看更多情报信息。

Patches & Fixes for CVE-2026-45984 (8)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-460657.8 HIGHfbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
CVE-2026-459337.8 HIGHbpf: Preserve id of register in sync_linked_regs()
CVE-2026-460367.8 HIGHvfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
CVE-2026-459317.8 HIGHaccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
CVE-2026-459297.8 HIGHovpn: fix possible use-after-free in ovpn_net_xmit
CVE-2026-458627.8 HIGHiommu/vt-d: Flush cache for PASID table before using it
CVE-2026-460627.8 HIGHntfs3: fix integer overflow in run_unpack() volume boundary check
CVE-2026-460537.8 HIGHnet: rds: fix MR cleanup on copy error

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-45984

No comments yet

Leave a comment