ocfs2/dlm: validate qr_numregions in dlm_match_regions()_CVE-2026-53043

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:

- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.

- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.

This patch (of 2):

The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.

AI Analysis

Out-of-bounds reads in the Linux kernel due to insufficient validation of the qr_numregions field in DLM_QUERY_REGION network messages

Basic Information

ID CVE-2026-53043

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version ea2034416b54700e30371f2ad6517cbb94674083

Affected Versions Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux ea2034416b54700e30371f2ad6517cbb94674083
Linux Linux 2.6.37

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor The Linux Foundation

Product Linux Kernel

Version ea2034416b54700e30371f2ad6517cbb94674083, 2.6.37

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2/dlm: validate qr_numregions in dlm_match_regions()\n\nPatch series \"ocfs2/dlm: fix two bugs in dlm_match_regions()\".\n\nIn dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION\nnetwork message is used to drive loops over the qr_regions buffer without\nsufficient validation.  This series fixes two issues:\n\n- Patch 1 adds a bounds check to reject messages where qr_numregions\n  exceeds O2NM_MAX_REGIONS. The o2net layer only validates message\n  byte length; it does not constrain field values, so a crafted message\n  can set qr_numregions up to 255 and trigger out-of-bounds reads past\n  the 1024-byte qr_regions buffer.\n\n- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,\n  which uses '<=' instead of '<', reading one entry past the valid range\n  even when qr_numregions is within bounds.\n\n\nThis patch (of 2):\n\nThe qr_numregions field from a DLM_QUERY_REGION network message is used\ndirectly as loop bounds in dlm_match_regions() without checking against\nO2NM_MAX_REGIONS.  Since qr_regions is sized for at most O2NM_MAX_REGIONS\n(32) entries, a crafted message with qr_numregions > 32 causes\nout-of-bounds reads past the qr_regions buffer.\n\nAdd a bounds check for qr_numregions before entering the loops.",
    "published": "2026-06-24T16:29:49.480Z",
    "modified": "2026-06-28T06:38:24.551Z",
    "type": "cve",
    "title": "ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/d3d5efade0c79dac1cac98c0cb1115432f804439\nhttps://git.kernel.org/stable/c/f69551139caf6d24242a0ad049ee46b264e3aee0\nhttps://git.kernel.org/stable/c/1f8b91275912cd428289c1fb424bebd7ff5302bd\nhttps://git.kernel.org/stable/c/f37de46149db49abd2b24f4f0c5a88cf4dfb5f47\nhttps://git.kernel.org/stable/c/6c6e8fc3c007319981647b410c29bb5775048551\nhttps://git.kernel.org/stable/c/3f474c33ebc2e2ca3fcb587d7de4375348f13373\nhttps://git.kernel.org/stable/c/3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21\nhttps://git.kernel.org/stable/c/7ab3fbb01bc6d79091bc375e5235d360cd9b78be",
    "id": "CVE-2026-53043",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux ea2034416b54700e30371f2ad6517cbb94674083\nLinux Linux 2.6.37",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "ea2034416b54700e30371f2ad6517cbb94674083",
    "vendor": "Linux",
    "ai_description": "Out-of-bounds reads in the Linux kernel due to insufficient validation of the qr_numregions field in DLM_QUERY_REGION network messages",
    "ai_severity": "Critical",
    "ai_vendor": "The Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "ea2034416b54700e30371f2ad6517cbb94674083, 2.6.37",
    "ai_score": 9.1
}