U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-45984 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff kernel.org
https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142 kernel.org
https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215 kernel.org
https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c kernel.org
https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d kernel.org
https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d kernel.org
https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4 kernel.org
https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321 kernel.org

Weakness Enumeration

CWE-ID CWE Name Source

Change History

1 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-45984
NVD Published Date:
05/27/2026
NVD Last Modified:
05/27/2026
Source:
kernel.org