CVE-2026-53040
Received Received - Intake
Out-of-Bounds Bitmap Walk in OCFS2 Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate bg_bits during freefrag scan [BUG] A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2_IOC_INFO is issued with OCFS2_INFO_FL_NON_COHERENT. BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: use-after-free in test_bit_le include/asm-generic/bitops/le.h:21 [inline] BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline] BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline] BUG: KASAN: use-after-free in ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline] BUG: KASAN: use-after-free in ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbe/0x130 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xd1/0x650 mm/kasan/report.c:482 kasan_report+0xfb/0x140 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:186 [inline] kasan_check_range+0x11c/0x200 mm/kasan/generic.c:200 __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] test_bit_le include/asm-generic/bitops/le.h:21 [inline] ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline] ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline] ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline] ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 ocfs2_info_handle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828 ocfs2_ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 ... [CAUSE] ocfs2_info_freefrag_scan_chain() uses on-disk bg_bits directly as the bitmap scan limit. The coherent path reads group descriptors through ocfs2_read_group_descriptor(), which validates the descriptor before use. The non-coherent path uses ocfs2_read_blocks_sync() instead and skips that validation, so an impossible bg_bits value can drive the bitmap walk past the end of the block. [FIX] Compute the bitmap capacity from the filesystem format with ocfs2_group_bitmap_size(), report descriptors whose bg_bits exceeds that limit, and clamp the scan to the computed capacity. This keeps the freefrag report going while avoiding reads beyond the buffer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53040
EUVD
EUVD-2026-38908
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oracle ocfs2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's OCFS2 filesystem implementation. Specifically, it involves improper validation of the bg_bits field during a freefrag scan when the OCFS2_IOC_INFO ioctl is issued with the OCFS2_INFO_FL_NON_COHERENT flag.

The issue arises because the non-coherent path reads group descriptors without validating the bg_bits value, which can lead to an out-of-bounds bitmap walk. This means that a crafted filesystem can cause the kernel to read beyond the intended memory buffer, triggering use-after-free bugs and potentially causing kernel crashes or other undefined behavior.

The fix involves computing the bitmap capacity properly from the filesystem format, reporting invalid descriptors, and clamping the scan to the computed capacity to prevent out-of-bounds reads.

Impact Analysis

This vulnerability can impact you by allowing a crafted OCFS2 filesystem to trigger out-of-bounds memory reads in the Linux kernel, which can lead to use-after-free conditions.

Such memory corruption issues can cause system instability, kernel crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, depending on the exploitation scenario.

Therefore, systems using the OCFS2 filesystem and exposed to untrusted or malicious filesystems are at risk of denial of service or privilege escalation.

Detection Guidance

This vulnerability involves an out-of-bounds bitmap walk triggered by a crafted filesystem when the OCFS2_IOC_INFO ioctl is issued with the OCFS2_INFO_FL_NON_COHERENT flag. Detection would involve monitoring for unusual or malformed ioctl calls related to OCFS2, especially those invoking OCFS2_IOC_INFO with the non-coherent flag.

Since the vulnerability manifests as a use-after-free and out-of-bounds memory access in the OCFS2 filesystem code, detection could include enabling kernel debugging tools such as KASAN (Kernel Address Sanitizer) to catch use-after-free bugs.

However, no specific commands or detection tools are provided in the available information.

Mitigation Strategies

The vulnerability has been fixed by validating the bg_bits field during the freefrag scan in the OCFS2 filesystem code. The fix involves computing the bitmap capacity from the filesystem format and clamping the scan to this capacity to avoid out-of-bounds reads.

Immediate mitigation steps would include updating the Linux kernel to a version that includes this fix.

Additionally, avoid using or mounting untrusted or crafted OCFS2 filesystems that could trigger this vulnerability until the fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart