Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reachable only via OCFS2 DLM cluster negotiation from a trusted peer (PR:H, AC:H); impact limited to a one-entry out-of-bounds read causing minor info leak (C:L) or instability (A:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'.
Fix the loop condition to use '<' for consistency and correctness.
AnalysisAI
Out-of-bounds read in the Linux kernel's OCFS2 cluster filesystem DLM (Distributed Lock Manager) stems from an off-by-one error in dlm_match_regions(), where the local-vs-remote region comparison loop uses '<=' instead of '<' and reads one entry past the valid range of the qr_regions array. It affects systems running the OCFS2 shared-disk cluster filesystem and is reachable when nodes negotiate heartbeat/region membership; the upstream tag classifies it as Information Disclosure rather than code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target host to be running the OCFS2 clustered filesystem with its in-kernel DLM active and participating in cluster region/heartbeat negotiation - the vulnerable dlm_match_regions() path is not reached on systems without OCFS2 in use. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised a node in an OCFS2 cluster crafts a region descriptor list that drives dlm_match_regions() on a peer node to compare one element past the end of the qr_regions array, causing an out-of-bounds read of adjacent kernel memory that may leak a small amount of information or destabilize the node. No public exploit is identified at time of analysis, and the practical attack complexity is high because cluster membership and crafted DLM negotiation traffic are required. |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (pick the patch level matching your stable series), then reboot or apply via livepatch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running the OCFS2 cluster filesystem; assess the sensitivity classification of data stored in shared-disk clusters. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39844
GHSA-cjh6-575g-258g