CVE-2026-45984
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
A use-after-free vulnerability was discovered in the Linux kernel's GFS2 filesystem inline data write path. The metadata buffer head (dibh) is released prematurely in gfs2_iomap_begin() while iomap->inline_data still points to its data, leading to a write to freed memory. This can compromise system integrity.
Risk Assessment
The organization risks GFS2 filesystem corruption, data loss, or potential privilege escalation due to writing to freed kernel memory. The vulnerability can be triggered by a local user performing write operations on GFS2 files.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). Monitor for the patch availability in your distribution and apply it after testing in a non-production environment.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

