CVE-2026-53039
Received Received - Intake
Buffer Overflow in Linux Kernel OCFS2 Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate group add input before caching [BUG] OCFS2_IOC_GROUP_ADD can trigger a BUG_ON in ocfs2_set_new_buffer_uptodate(): kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2_set_new_buffer_uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509 Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df Call Trace: ocfs2_group_add+0x3f1/0x1510 fs/ocfs2/resize.c:507 ocfs2_ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7bbfb55a966d [CAUSE] ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a user-controlled group block before ocfs2_verify_group_and_input() validates that block number. That helper is only valid for newly allocated metadata and asserts that the block is not already present in the chosen metadata cache. The code also uses INODE_CACHE(inode) even though the group descriptor belongs to main_bm_inode and later journal accesses use that cache context instead. [FIX] Validate the on-disk group descriptor before caching it, then add it to the metadata cache tracked by INODE_CACHE(main_bm_inode). Keep the validation failure path separate from the later cleanup path so we only remove the buffer from that cache after it has actually been inserted. This keeps the group buffer lifetime consistent across validation, journaling, and cleanup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53039
EUVD
EUVD-2026-38907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oracle ocfs2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's OCFS2 filesystem code. Specifically, the function ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a user-controlled group block before validating the block number with ocfs2_verify_group_and_input(). This validation is only valid for newly allocated metadata and assumes the block is not already in the metadata cache. Additionally, the code incorrectly uses the inode cache of the wrong inode, leading to inconsistent buffer lifetime management.

The issue can trigger a kernel BUG_ON, causing a kernel crash (BUG) due to invalid opcode execution. The root cause is that the group descriptor is not properly validated before being cached, and the buffer is managed inconsistently across validation, journaling, and cleanup.

The fix involves validating the on-disk group descriptor before caching it and ensuring the buffer is added to the correct metadata cache. The validation failure path is kept separate from the cleanup path to maintain consistent buffer lifetime.

Impact Analysis

This vulnerability can cause a kernel crash (BUG) in systems using the OCFS2 filesystem, leading to a denial of service. Since the kernel encounters an invalid opcode and triggers a BUG_ON, the system may become unstable or unresponsive.

Such crashes can disrupt normal operations, potentially causing data loss or corruption if the filesystem is in use at the time of the crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53039. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart