Skip to main content

Linux Kernel CVE-2026-45961

| EUVDEUVD-2026-32245 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-848w-4wg8-36v4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only trigger via GFS2 mount operations requiring low privilege; purely availability impact through incremental kernel memory exhaustion, no confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:41 vuln.today
CVSS changed
Jun 16, 2026 - 02:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

gfs2: fix memory leaks in gfs2_fill_super error path

Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails.

First leak: kthread objects (thread_struct, task_struct, etc.) When gfs2_freeze_lock_shared() fails after init_threads() succeeds, the created kernel threads (logd and quotad) are never destroyed. This occurs because the fail_per_node label doesn't call gfs2_destroy_threads().

Second leak: quota bitmap buffer (8192 bytes) When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but before other operations complete, the allocated quota bitmap is never freed.

The fix moves thread cleanup to the fail_per_node label to handle all error paths uniformly. gfs2_destroy_threads() is safe to call unconditionally as it checks for NULL pointers. Quota cleanup is added in gfs2_make_fs_rw() to properly handle the withdrawal case where quota initialization succeeds but the filesystem is then withdrawn.

Thread leak backtrace (gfs2_freeze_lock_shared failure): unreferenced object 0xffff88801d7bca80 (size 4480): copy_process+0x3a1/0x4670 kernel/fork.c:2422 kernel_clone+0xf3/0x6e0 kernel/fork.c:2779 kthread_create_on_node+0x100/0x150 kernel/kthread.c:478 init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611 gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265

Quota leak backtrace (gfs2_make_fs_rw failure): unreferenced object 0xffff88812de7c000 (size 8192): gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409 gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149 gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275

AnalysisAI

Memory leaks in the GFS2 cluster filesystem driver (fs/gfs2/) allow a local low-privileged user to exhaust kernel memory over time, producing availability degradation or denial of service on affected Linux systems. Two distinct leak paths exist in gfs2_fill_super() error handling: kernel thread objects for logd and quotad (~4480 bytes each) are not released when gfs2_freeze_lock_shared() fails after init_threads() succeeds, and a quota bitmap buffer (8192 bytes) is not freed when gfs2_make_fs_rw() fails after gfs2_quota_init() completes. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a triggered-path defect requiring GFS2-specific failure conditions rather than opportunistic mass exploitation.

Technical ContextAI

GFS2 (Global File System 2) is a cluster-aware filesystem for Linux designed for shared block storage across multiple nodes, commonly used in Red Hat high-availability environments. The vulnerability resides in gfs2_fill_super() at fs/gfs2/ops_fstype.c, the superblock initialization routine invoked during filesystem mount. CWE-401 (Missing Release of Memory after Effective Lifetime) applies to both leak paths: first, the fail_per_node error label omits a call to gfs2_destroy_threads(), leaving kthread structures including thread_struct and task_struct allocated but unreferenced after gfs2_freeze_lock_shared() fails; second, the withdrawal path in gfs2_make_fs_rw() at fs/gfs2/super.c does not free the quota bitmap allocated by gfs2_quota_init() at quota.c:1409. The fix unconditionally calls gfs2_destroy_threads() at fail_per_node (safe because it null-checks internally) and adds quota cleanup to the gfs2_make_fs_rw() withdrawal path. The affected CPE is cpe:2.3:o:linux:linux_kernel across multiple stable branches.

RemediationAI

Apply the upstream stable kernel patches available at https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102 and https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c. Distribution consumers should update to the corresponding patched stable releases: 5.10.173 or later in the 5.10 branch, 5.15.99 or later in the 5.15 branch, 6.1.16 or later in the 6.1 branch, 6.2.3 or later in the 6.2 branch, or Linux 6.19.4 and 7.0 in the mainline track per EUVD-2026-32245. For systems where an immediate kernel update is operationally infeasible, a practical compensating control is to unload and blacklist the gfs2 module - run 'modprobe -r gfs2' and add 'blacklist gfs2' to /etc/modprobe.d/ - which eliminates the attack surface entirely; the trade-off is that this disables all GFS2 cluster filesystem functionality. Systems that never mount GFS2 volumes require no remediation action. No workarounds short of module removal are effective, as the leak is internal to kernel error-path logic with no user-configurable option.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy