CVE-2026-45984
Analyzed Analyzed - Analysis Complete
Use-After-Free in GFS2 Filesystem

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45984
EUVD
EUVD-2026-32269
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.14 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 5.2 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel's gfs2 filesystem code, specifically in the inline data write path.

The issue occurs because the inline data buffer head (dibh) is released too early in the function gfs2_iomap_begin(), while a pointer (iomap->inline_data) still references the freed memory.

Later, when iomap_write_end_inline() tries to write data to this inline data area, it ends up writing to memory that has already been freed, causing a use-after-free error detected by KASAN.

The fix involves properly managing the buffer head's reference count to ensure the memory remains valid throughout the entire iomap operation.

Impact Analysis

A use-after-free vulnerability like this can lead to memory corruption, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Since this bug occurs in the filesystem code, it could be triggered by certain file operations, potentially leading to denial of service or escalation of privileges on affected Linux systems.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the gfs2 use-after-free issue in the iomap inline data write path has been resolved.

Specifically, the fix involves proper reference counting of the buffer head in gfs2_iomap_begin() and releasing it only after the inline write completes, preventing premature freeing.

Therefore, the immediate mitigation step is to apply the kernel update that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart