CVE-2026-53043

Source
https://cve.org/CVERecord?id=CVE-2026-53043
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53043.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53043
Downstream
Published
2026-06-24T16:29:49.480Z
Modified
2026-07-08T08:09:45.151050252Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qrnumregions in dlmmatch_regions()

Patch series "ocfs2/dlm: fix two bugs in dlmmatchregions()".

In dlmmatchregions(), the qrnumregions field from a DLMQUERYREGION network message is used to drive loops over the qrregions buffer without sufficient validation. This series fixes two issues:

  • Patch 1 adds a bounds check to reject messages where qrnumregions exceeds O2NMMAXREGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qrnumregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer.

  • Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds.

This patch (of 2):

The qrnumregions field from a DLMQUERYREGION network message is used directly as loop bounds in dlmmatchregions() without checking against O2NMMAXREGIONS. Since qrregions is sized for at most O2NMMAXREGIONS (32) entries, a crafted message with qrnumregions > 32 causes out-of-bounds reads past the qrregions buffer.

Add a bounds check for qr_numregions before entering the loops.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53043.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ea2034416b54700e30371f2ad6517cbb94674083
Fixed
d3d5efade0c79dac1cac98c0cb1115432f804439
Fixed
f69551139caf6d24242a0ad049ee46b264e3aee0
Fixed
1f8b91275912cd428289c1fb424bebd7ff5302bd
Fixed
f37de46149db49abd2b24f4f0c5a88cf4dfb5f47
Fixed
6c6e8fc3c007319981647b410c29bb5775048551
Fixed
3f474c33ebc2e2ca3fcb587d7de4375348f13373
Fixed
3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21
Fixed
7ab3fbb01bc6d79091bc375e5235d360cd9b78be

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53043.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.37
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53043.json"