CVE-2026-53040

Source
https://cve.org/CVERecord?id=CVE-2026-53040
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53040.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53040
Downstream
Related
Published
2026-06-24T16:29:46.737Z
Modified
2026-07-12T03:54:52.585739095Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
ocfs2: validate bg_bits during freefrag scan
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate bg_bits during freefrag scan

[BUG] A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2IOCINFO is issued with OCFS2INFOFLNONCOHERENT.

BUG: KASAN: use-after-free in instrumentatomicread include/linux/instrumented.h:68 [inline] BUG: KASAN: use-after-free in testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: use-after-free in testbitle include/asm-generic/bitops/le.h:21 [inline] BUG: KASAN: use-after-free in ocfs2infofreefragscanchain fs/ocfs2/ioctl.c:495 [inline] BUG: KASAN: use-after-free in ocfs2infofreefragscanbitmap fs/ocfs2/ioctl.c:588 [inline] BUG: KASAN: use-after-free in ocfs2infohandlefreefrag fs/ocfs2/ioctl.c:662 [inline] BUG: KASAN: use-after-free in ocfs2infohandlerequest+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435 Call Trace: __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0xbe/0x130 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xd1/0x650 mm/kasan/report.c:482 kasanreport+0xfb/0x140 mm/kasan/report.c:595 checkregioninline mm/kasan/generic.c:186 [inline] kasancheckrange+0x11c/0x200 mm/kasan/generic.c:200 __kasancheckread+0x11/0x20 mm/kasan/shadow.c:31 instrumentatomicread include/linux/instrumented.h:68 [inline] testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] testbitle include/asm-generic/bitops/le.h:21 [inline] ocfs2infofreefragscanchain fs/ocfs2/ioctl.c:495 [inline] ocfs2infofreefragscanbitmap fs/ocfs2/ioctl.c:588 [inline] ocfs2infohandlefreefrag fs/ocfs2/ioctl.c:662 [inline] ocfs2infohandlerequest+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 ocfs2infohandle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828 ocfs2ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:597 [inline] __sesysioctl fs/ioctl.c:583 [inline] __x64sysioctl+0x197/0x1e0 fs/ioctl.c:583 ...

[CAUSE] ocfs2infofreefragscanchain() uses on-disk bgbits directly as the bitmap scan limit. The coherent path reads group descriptors through ocfs2readgroupdescriptor(), which validates the descriptor before use. The non-coherent path uses ocfs2readblockssync() instead and skips that validation, so an impossible bgbits value can drive the bitmap walk past the end of the block.

[FIX] Compute the bitmap capacity from the filesystem format with ocfs2groupbitmapsize(), report descriptors whose bgbits exceeds that limit, and clamp the scan to the computed capacity. This keeps the freefrag report going while avoiding reads beyond the buffer.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53040.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d24a10b9f8ed548981696cd36e2b4f16e6f360b1
Fixed
bb2906a1065ec28de021bac2ed03f2624edd7d07
Fixed
3e167e230d19cd273108bab2e4c61800fc335ae8
Fixed
0998674eec138c55e9e349b9cbd9dbc5129a9cc8
Fixed
bb3c54d1e71578521111f1a1ee7d5f4761a242b8
Fixed
05d0cbea41167b6b061c6ba5b70ee5a9a7a24c9e
Fixed
4c2d62ddde8928db12f4608950b67a20e67deab2
Fixed
e0dcf12665d6dde37facf790803cdad44d5c328c
Fixed
8f687eeed3da3012152b0f9473f578869de0cd7b

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53040.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53040.json"