CVE-2026-45861
Awaiting Analysis Awaiting Analysis - Queue
GFS2 Quota Data Use-After-Free in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed to remove these objects from the LRU list, causing LRU list corruption. This caused use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access already-freed objects on the LRU list. Fix this by removing qd objects from the LRU list before freeing them in qd_put(). Initial fix from Deepanshu Kartikey <[email protected]>.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45861
EUVD
EUVD-2026-32327
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's gfs2 filesystem quota data management. Specifically, during filesystem shutdown, quota data objects were freed asynchronously but were not properly removed from the Least Recently Used (LRU) list. As a result, the system's shrinker function could attempt to access these already-freed objects, leading to use-after-free errors.

The fix involved removing quota data objects from the LRU list before freeing them, preventing the system from accessing invalid memory.

Impact Analysis

This use-after-free vulnerability can lead to system instability or crashes due to the kernel accessing freed memory. It may also potentially be exploited to cause denial of service or escalate privileges, depending on the attacker's capabilities and system configuration.

Mitigation Strategies

The vulnerability in the Linux kernel related to gfs2 involves a use-after-free issue in quota data object handling during filesystem shutdown. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue, specifically the commit a475c5dd16e5 which removes quota data objects from the LRU list before freeing them.

Applying the latest kernel patches or upgrading to a fixed kernel version is the immediate and recommended step to prevent exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart