Skip to main content

Linux Kernel CVE-2026-53043

| EUVDEUVD-2026-38911 CRITICAL
Out-of-bounds Write (CWE-787)
2026-06-24 Linux GHSA-hv9w-qqh8-9pfh
9.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

Crafted unauthenticated o2net message triggers the read (AV:N/AC:L/PR:N/UI:N); out-of-bounds read yields kernel info-leak (C:H) and node crash (A:H) with no integrity impact (I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:55 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.1 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
CRITICAL 9.1
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues:

  • Patch 1 adds a bounds check to reject messages where qr_numregions

exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer.

  • Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,

which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds.

This patch (of 2):

The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.

AnalysisAI

Out-of-bounds memory read in the Linux kernel's OCFS2 distributed lock manager (dlm_match_regions) lets a remote host send a crafted DLM_QUERY_REGION message whose attacker-controlled qr_numregions field (up to 255) drives loops past the fixed 1024-byte/32-entry qr_regions buffer. Because the o2net transport only checks message byte length and not field values, this enables disclosure of adjacent kernel memory and likely node crashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain access to OCFS2 cluster interconnect
Delivery
Craft DLM_QUERY_REGION with qr_numregions > 32
Exploit
Send message to peer node
Execution
dlm_match_regions reads past qr_regions buffer
Impact
Leak adjacent kernel memory or panic node

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target host runs OCFS2 with the in-kernel DLM active and that the attacker can deliver a DLM_QUERY_REGION (o2net) message to it over the cluster network - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the OCFS2 cluster interconnect (a malicious or compromised cluster node, or someone able to inject onto the private heartbeat network) crafts a DLM_QUERY_REGION message setting qr_numregions to a value above 32. When a peer node processes it in dlm_match_regions(), the kernel reads past the 1024-byte qr_regions buffer, leaking adjacent kernel memory into the comparison or panicking the node. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10 (and 7.1 mainline) - or apply your distribution's kernel update carrying the corresponding git.kernel.org commits (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running OCFS2 and assess their role in critical operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy