In the Linux kernel, the following vulnerability has been resolved:
ocfs2: validate bg_bits during freefrag scan
[BUG] A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2IOCINFO is issued with OCFS2INFOFLNONCOHERENT.
BUG: KASAN: use-after-free in instrumentatomicread include/linux/instrumented.h:68 [inline] BUG: KASAN: use-after-free in testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: use-after-free in testbitle include/asm-generic/bitops/le.h:21 [inline] BUG: KASAN: use-after-free in ocfs2infofreefragscanchain fs/ocfs2/ioctl.c:495 [inline] BUG: KASAN: use-after-free in ocfs2infofreefragscanbitmap fs/ocfs2/ioctl.c:588 [inline] BUG: KASAN: use-after-free in ocfs2infohandlefreefrag fs/ocfs2/ioctl.c:662 [inline] BUG: KASAN: use-after-free in ocfs2infohandlerequest+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435 Call Trace: __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0xbe/0x130 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xd1/0x650 mm/kasan/report.c:482 kasanreport+0xfb/0x140 mm/kasan/report.c:595 checkregioninline mm/kasan/generic.c:186 [inline] kasancheckrange+0x11c/0x200 mm/kasan/generic.c:200 __kasancheckread+0x11/0x20 mm/kasan/shadow.c:31 instrumentatomicread include/linux/instrumented.h:68 [inline] testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] testbitle include/asm-generic/bitops/le.h:21 [inline] ocfs2infofreefragscanchain fs/ocfs2/ioctl.c:495 [inline] ocfs2infofreefragscanbitmap fs/ocfs2/ioctl.c:588 [inline] ocfs2infohandlefreefrag fs/ocfs2/ioctl.c:662 [inline] ocfs2infohandlerequest+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 ocfs2infohandle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828 ocfs2ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:597 [inline] __sesysioctl fs/ioctl.c:583 [inline] __x64sysioctl+0x197/0x1e0 fs/ioctl.c:583 ...
[CAUSE] ocfs2infofreefragscanchain() uses on-disk bgbits directly as the bitmap scan limit. The coherent path reads group descriptors through ocfs2readgroupdescriptor(), which validates the descriptor before use. The non-coherent path uses ocfs2readblockssync() instead and skips that validation, so an impossible bgbits value can drive the bitmap walk past the end of the block.
[FIX] Compute the bitmap capacity from the filesystem format with ocfs2groupbitmapsize(), report descriptors whose bgbits exceeds that limit, and clamp the scan to the computed capacity. This keeps the freefrag report going while avoiding reads beyond the buffer.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53040.json",
"cna_assigner": "Linux"
}