In the Linux kernel, the following vulnerability has been resolved:
ocfs2/dlm: validate qrnumregions in dlmmatch_regions()
Patch series "ocfs2/dlm: fix two bugs in dlmmatchregions()".
In dlmmatchregions(), the qrnumregions field from a DLMQUERYREGION network message is used to drive loops over the qrregions buffer without sufficient validation. This series fixes two issues:
Patch 1 adds a bounds check to reject messages where qrnumregions exceeds O2NMMAXREGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qrnumregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer.
Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds.
This patch (of 2):
The qrnumregions field from a DLMQUERYREGION network message is used directly as loop bounds in dlmmatchregions() without checking against O2NMMAXREGIONS. Since qrregions is sized for at most O2NMMAXREGIONS (32) entries, a crafted message with qrnumregions > 32 causes out-of-bounds reads past the qrregions buffer.
Add a bounds check for qr_numregions before entering the loops.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53043.json",
"cna_assigner": "Linux"
}