Skip to main content

Linux Kernel CVE-2026-45861

| EUVDEUVD-2026-32327 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v5c4-8mx9-g6x5
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:25 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix slab-use-after-free in qd_put

Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed to remove these objects from the LRU list, causing LRU list corruption. This caused use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access already-freed objects on the LRU list.

Fix this by removing qd objects from the LRU list before freeing them in qd_put().

Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>.

AnalysisAI

Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.

Technical ContextAI

The bug lives in fs/gfs2 quota handling code in the Linux kernel. GFS2 is a shared-disk cluster filesystem used in high-availability storage clusters (commonly with Red Hat Resilient Storage / Pacemaker). Quota data (qd) objects are tracked on an LRU list managed by a memory shrinker (gfs2_qd_shrink_scan) that reclaims them under memory pressure. The regression commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") changed shutdown behavior to free qd objects immediately rather than recycling them to the LRU, but neglected to unlink them from the LRU list first - leaving dangling LRU entries pointing into freed slab memory. The root cause is a classic use-after-free (CWE-416-class) resulting from missing list_del_init before kmem_cache_free, exposed when the shrinker walks the list concurrently with shutdown.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.75, 6.18.14, 6.19.4, or 7.0 (or later) on the appropriate stable series, picking up one of the upstream fixes at git.kernel.org/stable/c/1d47922b98046b8070a77347fb883a6523792803, /22150a7d401d9e9169b9b68e05bed95f7f49bf69, /80fff26d7a0c3926b511661c27eecc811a420eef, or /ca7c67bdd293089b3483f18886d6b2d0037d2ad9, then reboot to load the new kernel. Distribution users should track their vendor's kernel advisory (e.g., RHEL/Oracle/SUSE Resilient Storage updates) and apply the backported package. If patching must be deferred, the most effective compensating control is to avoid mounting GFS2 filesystems on affected hosts (or unmount them on hosts where GFS2 is not strictly required) - the trade-off is loss of clustered shared-storage access, which may be unacceptable in HA environments. As a secondary measure, restrict local shell and container access to trusted users on GFS2-mounted nodes to reduce the population that can drive the shrinker path during shutdown, accepting that this does not eliminate the race.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy