{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45984","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.090Z","datePublished":"2026-05-27T12:18:42.964Z","dateUpdated":"2026-07-09T12:09:55.000Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-30T10:46:25.407Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in iomap inline data write path\n\nThe inline data buffer head (dibh) is being released prematurely in\ngfs2_iomap_begin() via release_metapath() while iomap->inline_data\nstill points to dibh->b_data. This causes a use-after-free when\niomap_write_end_inline() later attempts to write to the inline data\narea.\n\nThe bug sequence:\n1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode\n   metadata into dibh\n2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)\n3. Calls release_metapath() which calls brelse(dibh), dropping refcount\n   to 0\n4. kswapd reclaims the page (~39ms later in the syzbot report)\n5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data\n6. KASAN detects use-after-free write to freed memory\n\nFix by storing dibh in iomap->private and incrementing its refcount\nwith get_bh() in gfs2_iomap_begin(). The buffer is then properly\nreleased in gfs2_iomap_end() after the inline write completes,\nensuring the page stays alive for the entire iomap operation.\n\nNote: A C reproducer is not available for this issue. The fix is based\non analysis of the KASAN report and code review showing the buffer head\nis freed before use.\n\n[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid\nleaks in gfs2_iomap_get() and gfs2_iomap_alloc().]"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/gfs2/bmap.c"],"versions":[{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"1403989d1b502f4a2c0d0b42ccf1c25748442eff","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"1cae1bafdf9caa9b462b19af06b1a06902e4e142","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"764c3c84b5683e608f43735c803a5f415046686c","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"d87268326b277af3665237ac76a73dd9fa8e21b4","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"87d4954b5c59735a99ea98cb208d47130f6dce7d","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"6d76febba07c40bcf358f63216d36ea68cf1c215","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"815ddd27c0c7171a99fe802fdb19098ddef8b19d","status":"affected","versionType":"git"},{"version":"d0a22a4b03b8475b7aa3fa41243c26c291407844","lessThan":"faddeb848305e79db89ee0479bb0e33380656321","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/gfs2/bmap.c"],"versions":[{"version":"5.2","status":"affected"},{"version":"0","lessThan":"5.2","status":"unaffected","versionType":"semver"},{"version":"5.10.252","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.14","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.4","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.10.252"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.18.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.19.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff"},{"url":"https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142"},{"url":"https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c"},{"url":"https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4"},{"url":"https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d"},{"url":"https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215"},{"url":"https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d"},{"url":"https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321"}],"title":"gfs2: Fix use-after-free in iomap inline data write path","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"affected":[{"cpes":["cpe:/a:redhat:rhel_e4s:9.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:rhel_aus:8.6::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS AUS (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:rhel_e4s:9.4::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS E4S (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CRB (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::nfv"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux NFV (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.4::nfv"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::nfv"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time for NFV (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::realtime"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux RT (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.4::realtime"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time E4S (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::realtime"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unknown","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_nvidia:"],"defaultStatus":"unknown","product":"Red Hat Enterprise Linux for NVIDIA 26","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unknown","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"}],"datePublic":"2026-05-27T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in the Linux kernel's GFS2 filesystem. This memory corruption vulnerability, a use-after-free, occurs in the iomap inline data write path. The issue arises because a data buffer is released prematurely while still being referenced, leading to a write to freed memory. This could allow a local attacker to cause system instability or a denial of service (DoS)."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-826","description":"Premature Release of Resource During Expected Lifetime","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-45984"},{"name":"RHBZ#2481922","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2481922"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45984.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36767"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:27789"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:33743"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35894"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36049"}],"solutions":[{"lang":"en","value":"RHSA-2026:36767: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"},{"lang":"en","value":"RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"},{"lang":"en","value":"RHSA-2026:33743: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"},{"lang":"en","value":"RHSA-2026:35894: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"},{"lang":"en","value":"RHSA-2026:36049: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"}],"timeline":[{"lang":"en","time":"2026-05-27T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-27T00:00:00.000Z","value":"Made public."}],"title":"kernel: gfs2: Fix use-after-free in iomap inline data write path","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:55.000Z"}}]}}