PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45984 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's GFS2 (Global File System 2) filesystem driver, specifically within the iomap inline data write path. The flaw occurs when gfs2_iomap_begin() prematurely releases a buffer head (dibh) via release_metapath() while iomap->inline_data still holds a pointer to dibh->b_data. This creates a race condition where kswapd can reclaim the freed page before iomap_write_end_inline() attempts to write to the inline data area, resulting in memory corruption. The vulnerability was discovered through KASAN detection following a syzbot report showing approximately 39ms between buffer release and page reclamation. The fix implements proper buffer head reference counting by storing dibh in iomap->private with get_bh() in gfs2_iomap_begin() and releasing it in gfs2_iomap_end() after the inline write completes. Multiple stable kernel branches have received patches. No C reproducer is available, and no CVSS score has been assigned by NVD as of publication.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

System administrators running Linux kernels with GFS2 filesystem support, particularly those using inline data features. Cloud providers and hosting environments offering GFS2-based storage services. Organizations with high-availability clusters relying on GFS2 for shared storage. Security teams monitoring for kernel memory corruption vulnerabilities that could lead to privilege escalation or system instability.

Technical summary

The vulnerability stems from incorrect buffer head lifecycle management in gfs2_iomap_begin(). When handling inline data writes, the function obtains a buffer head (dibh) via gfs2_meta_inode_buffer(), sets iomap->inline_data to point into the buffer, then calls release_metapath() which invokes brelse(dibh). This drops the buffer head reference count to zero, allowing the page to be reclaimed by kswapd. The subsequent iomap_write_end_inline() then performs a memcpy() to the now-freed memory region. The fix adds proper reference counting: dibh is stored in iomap->private with an incremented refcount via get_bh(), ensuring the buffer remains valid until gfs2_iomap_end() releases it after the inline write operation completes. This pattern prevents the race between buffer release and page reclamation that triggered the KASAN-detected use-after-free.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates from stable branches once patches are available for your distribution
  • Monitor vendor security advisories for GFS2-related fixes
  • Enable KASAN in test environments to detect similar use-after-free conditions in GFS2 operations
  • Review systems using GFS2 filesystems for stability concerns during inline data operations
  • Consider disabling inline data features on GFS2 if stability issues are observed pending patch availability

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry published 2026-05-27. Technical details confirmed through kernel.org stable commit references. Fix analysis indicates this is a reference counting bug in buffer head lifecycle management within the iomap infrastructure.

Official resources

2026-05-27