Linux Kernel gfs2 UAF in iomap write path
CVE-2026-45984 Published on May 27, 2026

gfs2: Fix use-after-free in iomap inline data write path
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

NVD

Vulnerability Analysis

CVE-2026-45984 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Premature Release of Resource During Expected Lifetime

The program releases a resource that is still intended to be used by the program itself or another actor.


Products Associated with CVE-2026-45984

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-45984 are published in these products:

 
 
 
 
 

Affected Versions

Linux: Linux: Red Hat Enterprise Linux AppStream (v. 9): Red Hat Enterprise Linux BaseOS (v. 8): Red Hat Enterprise Linux BaseOS (v. 9): Red Hat Enterprise Linux CRB (v. 8): Red Hat Enterprise Linux CodeReady Linux Builder (v. 9): Red Hat Enterprise Linux Real Time for NFV (v. 9): Red Hat Enterprise Linux Real Time (v. 9): Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux for NVIDIA 26: Red Hat OpenShift Container Platform 4:

Exploit Probability

EPSS
0.13%
Percentile
2.56%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.