Skip to main content

Linux Kernel OCFS2 CVE-2026-31597

| EUVDEUVD-2026-25490 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-8pwc-q4rq-xxf3
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 14:38 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 14:15 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:33 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25490
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c:

"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free.

Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

AnalysisAI

Use-after-free in Linux kernel OCFS2 filesystem enables local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when filemap_fault() drops mmap_lock before returning VM_FAULT_RETRY, allowing concurrent munmap() to free the vm_area_struct while ocfs2_fault() still holds a dangling pointer. Vendor patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the OCFS2 (Oracle Cluster File System 2) implementation in the Linux kernel's memory management subsystem. The flaw lies in the interaction between page fault handling (filemap_fault) and virtual memory area lifecycle management. When filemap_fault() encounters a VM_FAULT_RETRY condition - typically during I/O operations or folio locking - it may release the mmap_lock semaphore as documented in mm/filemap.c. During this window, another thread executing munmap() can proceed through remove_vma() and schedule the vm_area_struct for RCU-deferred destruction. The ocfs2_fault() function retains a pointer to this freed memory and subsequently dereferences it during trace_ocfs2_fault() invocation, triggering a use-after-free condition. The fix involves capturing ip_blkno as a plain integer value before the potentially lock-dropping filemap_fault() call, ensuring the value remains valid regardless of subsequent vma or inode state changes. This represents a classic time-of-check-time-of-use (TOCTOU) race condition in kernel memory management code.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83, 6.18.24, 6.19.14, or 7.0.1 depending on your current stable branch. Upstream fixes are available at https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d and related commit references. Organizations unable to immediately patch should implement compensating controls with the following trade-offs: disable OCFS2 filesystem mounting via kernel module blacklisting (add 'install ocfs2 /bin/true' to /etc/modprobe.d/) which eliminates attack surface but breaks OCFS2-dependent cluster applications; restrict local shell access to trusted administrators only, reducing attacker capability to trigger the race condition but not eliminating risk from compromised accounts; implement kernel page table isolation (KPTI) and other kernel hardening features (CONFIG_SLAB_FREELIST_HARDENED, CONFIG_INIT_ON_ALLOC_DEFAULT_ON) to increase exploitation difficulty, though these add 5-30% performance overhead and do not prevent the underlying use-after-free. For Oracle RAC environments requiring OCFS2, schedule emergency patching windows as no effective workaround exists that maintains cluster filesystem functionality.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy