CVE-2026-45984
Description
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 6.1.170-1 |
| debian | bullseye | fixed | 5.10.257-1 |
| debian | forky | fixed | 6.18.14-1 |
| debian | sid | fixed | 6.18.14-1 |
| debian | trixie | fixed | 6.12.85-1 |
References
- https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff
- https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142
- https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c
- https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4
- https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d
- https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215
- https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d
- https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321
- https://security-tracker.debian.org/tracker/CVE-2026-45984
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.