Skip to main content

Linux Kernel OCFS2 EUVDEUVD-2026-25491

| CVE-2026-31598 HIGH
Improper Locking (CWE-667)
2026-04-24 Linux GHSA-cqwh-r98h-2279
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 20:10 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:33 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25491
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix possible deadlock between unlink and dio_end_io_write

ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. This creates an ABBA lock ordering violation on lock classes ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and ocfs2_file_ip_alloc_sem_key.

Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): ocfs2_unlink ocfs2_prepare_orphan_dir ocfs2_lookup_lock_orphan_dir inode_lock(orphan_dir_inode) <- lock A __ocfs2_prepare_orphan_dir ocfs2_prepare_dir_for_insert ocfs2_extend_dir ocfs2_expand_inline_dir down_write(&oi->ip_alloc_sem) <- Lock B

Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock): ocfs2_dio_end_io_write down_write(&oi->ip_alloc_sem) <- Lock B ocfs2_del_inode_from_orphan() inode_lock(orphan_dir_inode) <- Lock A

Deadlock Scenario: CPU0 (unlink) CPU1 (dio_end_io_write) ------ ------ inode_lock(orphan_dir_inode) down_write(ip_alloc_sem) down_write(ip_alloc_sem) inode_lock(orphan_dir_inode)

Since ip_alloc_sem is to protect allocation changes, which is unrelated with operations in ocfs2_del_inode_from_orphan. So move ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.

AnalysisAI

Kernel deadlock in Linux OCFS2 filesystem allows remote denial of service through lock ordering violation between unlink and direct I/O operations. OCFS2's orphan directory locking in ocfs2_unlink and ocfs2_dio_end_io_write acquire ip_alloc_sem and inode_lock in opposite orders (ABBA pattern), enabling concurrent operations to deadlock the system. Affects mainline Linux kernel through 6.19.14 with patches available in 6.12.83, 6.18.24, 7.0.1, and 6.19.14. EPSS score of 0.02% suggests minimal real-world exploitation likelihood despite CVSS 7.5 score, and no active exploitation or public POC identified.

Technical ContextAI

OCFS2 (Oracle Cluster File System version 2) is a shared-disk cluster filesystem for Linux that supports concurrent multi-node access. This vulnerability stems from inconsistent lock acquisition ordering in the orphan directory management subsystem. The orphan directory temporarily holds inodes for files being deleted or truncated. The ip_alloc_sem semaphore protects allocation metadata changes, while inode_lock serializes directory operations. When ocfs2_unlink removes a file, it locks the orphan directory inode first, then acquires ip_alloc_sem during directory expansion. Conversely, ocfs2_dio_end_io_write (the direct I/O completion path) reverses this order, acquiring ip_alloc_sem before attempting to remove the inode from the orphan directory. This textbook ABBA deadlock scenario violates proper lock hierarchy and can cause system hangs under concurrent unlink and direct I/O workloads. The CPE strings cpe:2.3:a:linux:linux indicate this affects the core Linux kernel implementation, not distribution-specific builds.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83, 6.18.24, 7.0.1, or 6.19.14 depending on your stable branch. Patches available from https://git.kernel.org/stable/c/2b884d52273c60c298bd570163e8053657bbaff6 (mainline), https://git.kernel.org/stable/c/bc0fb5c7d54c78be43a536df0e20dee32adb27d3, https://git.kernel.org/stable/c/f9fb1a7b635849322e1d7b7b6b26389778ec8e82, and https://git.kernel.org/stable/c/e049f7a9bd80b7319590789ea5e1c523d6339d91. The fix relocates ocfs2_del_inode_from_orphan outside the ip_alloc_sem critical section, eliminating the lock ordering violation. If immediate patching is not feasible, consider temporary workarounds: disable direct I/O on OCFS2 filesystems (mount without o_direct support), which prevents the ocfs2_dio_end_io_write code path from executing - this trades performance for stability. Alternatively, if OCFS2 is not operationally required, migrate to alternative cluster filesystems like GFS2 or distributed storage solutions. Monitor for kernel hung task warnings in dmesg indicating deadlock conditions. Note that disabling direct I/O may significantly impact database and application performance that relies on unbuffered I/O operations.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy