Linux Kernel gfs2 UAF in iomap write path
CVE-2026-45984 Published on May 27, 2026
gfs2: Fix use-after-free in iomap inline data write path
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix use-after-free in iomap inline data write path
The inline data buffer head (dibh) is being released prematurely in
gfs2_iomap_begin() via release_metapath() while iomap->inline_data
still points to dibh->b_data. This causes a use-after-free when
iomap_write_end_inline() later attempts to write to the inline data
area.
The bug sequence:
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode
metadata into dibh
2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)
3. Calls release_metapath() which calls brelse(dibh), dropping refcount
to 0
4. kswapd reclaims the page (~39ms later in the syzbot report)
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data
6. KASAN detects use-after-free write to freed memory
Fix by storing dibh in iomap->private and incrementing its refcount
with get_bh() in gfs2_iomap_begin(). The buffer is then properly
released in gfs2_iomap_end() after the inline write completes,
ensuring the page stays alive for the entire iomap operation.
Note: A C reproducer is not available for this issue. The fix is based
on analysis of the KASAN report and code review showing the buffer head
is freed before use.
[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid
leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Vulnerability Analysis
CVE-2026-45984 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Premature Release of Resource During Expected Lifetime
The program releases a resource that is still intended to be used by the program itself or another actor.
Products Associated with CVE-2026-45984
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-45984 are published in these products:
Affected Versions
Linux:- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below 1403989d1b502f4a2c0d0b42ccf1c25748442eff is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below 1cae1bafdf9caa9b462b19af06b1a06902e4e142 is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below 764c3c84b5683e608f43735c803a5f415046686c is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below d87268326b277af3665237ac76a73dd9fa8e21b4 is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below 87d4954b5c59735a99ea98cb208d47130f6dce7d is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below 6d76febba07c40bcf358f63216d36ea68cf1c215 is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below 815ddd27c0c7171a99fe802fdb19098ddef8b19d is affected.
- Version d0a22a4b03b8475b7aa3fa41243c26c291407844 and below faddeb848305e79db89ee0479bb0e33380656321 is affected.
- Version 5.2 is affected.
- Before 5.2 is unaffected.
- Version 5.10.252, <= 5.10.* is unaffected.
- Version 5.15.202, <= 5.15.* is unaffected.
- Version 6.1.165, <= 6.1.* is unaffected.
- Version 6.6.128, <= 6.6.* is unaffected.
- Version 6.12.75, <= 6.12.* is unaffected.
- Version 6.18.14, <= 6.18.* is unaffected.
- Version 6.19.4, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.