Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Crafted unauthenticated o2net message triggers the read (AV:N/AC:L/PR:N/UI:N); out-of-bounds read yields kernel info-leak (C:H) and node crash (A:H) with no integrity impact (I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".
In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues:
- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer.
- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds.
This patch (of 2):
The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer.
Add a bounds check for qr_numregions before entering the loops.
AnalysisAI
Out-of-bounds memory read in the Linux kernel's OCFS2 distributed lock manager (dlm_match_regions) lets a remote host send a crafted DLM_QUERY_REGION message whose attacker-controlled qr_numregions field (up to 255) drives loops past the fixed 1024-byte/32-entry qr_regions buffer. Because the o2net transport only checks message byte length and not field values, this enables disclosure of adjacent kernel memory and likely node crashes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target host runs OCFS2 with the in-kernel DLM active and that the attacker can deliver a DLM_QUERY_REGION (o2net) message to it over the cluster network - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the OCFS2 cluster interconnect (a malicious or compromised cluster node, or someone able to inject onto the private heartbeat network) crafts a DLM_QUERY_REGION message setting qr_numregions to a value above 32. When a peer node processes it in dlm_match_regions(), the kernel reads past the 1024-byte qr_regions buffer, leaking adjacent kernel memory into the comparison or panicking the node. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10 (and 7.1 mainline) - or apply your distribution's kernel update carrying the corresponding git.kernel.org commits (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running OCFS2 and assess their role in critical operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38911
GHSA-hv9w-qqh8-9pfh