CVE-2026-53043
Received Received - Intake
Buffer Overflow in Linux Kernel OCFS2 DLM

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53043
EUVD
EUVD-2026-38911
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux kernel to 255 (exc)
linux linux_kernel to 32 (exc)
linux kernel to 32 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ocfs2/dlm component, specifically in the dlm_match_regions() function. The issue arises because the qr_numregions field from a DLM_QUERY_REGION network message is used directly as a loop bound without proper validation against the maximum allowed regions (O2NM_MAX_REGIONS).

Because the o2net layer only validates message byte length and not the actual field values, an attacker can craft a message with qr_numregions set to a value greater than the maximum (up to 255), causing the function to read beyond the allocated qr_regions buffer (which can hold only up to 32 entries). This leads to out-of-bounds reads.

Additionally, there was an off-by-one error in the comparison loop that could cause reading one entry past the valid range even when qr_numregions was within bounds. The patch fixes both the lack of bounds checking and the off-by-one error.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's ocfs2/dlm component. Such out-of-bounds reads may cause system instability, crashes, or potentially expose sensitive kernel memory contents to an attacker.

An attacker who can send crafted DLM_QUERY_REGION network messages could exploit this flaw to read memory beyond intended boundaries, which might lead to information disclosure or denial of service conditions.

Mitigation Strategies

The vulnerability is fixed by applying a patch that adds a bounds check for the qr_numregions field in the dlm_match_regions() function of the Linux kernel.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()" which was published on 2026-06-24.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart