๐Ÿ” CVE Alert

CVE-2026-31597

HIGH 7.8

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

CVSS Score
7.8
EPSS Score
0.0%
EPSS Percentile
0th

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

Vendor linux
Product linux
Ecosystems
Industries
Technology
Published Apr 24, 2026
Last Updated Jun 1, 2026
Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new high vulnerabilities affecting linux linux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Linux / Linux
614a9e849ca6ea24843795251cb30af525d5336b < 36539c4d536f851a3b346a6ebb27b51bc3d77a94 614a9e849ca6ea24843795251cb30af525d5336b < 35c2c05261d6f6d84aaa1355afa201d507943e76 614a9e849ca6ea24843795251cb30af525d5336b < 3f5e74b5db9353b01ed50f4de84e75b755f8fbc2 614a9e849ca6ea24843795251cb30af525d5336b < 6f072daefcab1d84ce37c073645615f63be91006 614a9e849ca6ea24843795251cb30af525d5336b < 4cf2768a0291a0cdd0dae801ea0eafa3878a349d 614a9e849ca6ea24843795251cb30af525d5336b < d45ff441b416d4aa1af72b1db23d959601c04da2 614a9e849ca6ea24843795251cb30af525d5336b < 76a602fdbb78dd05b2da06f74a988cebc97e82d0 614a9e849ca6ea24843795251cb30af525d5336b < 925bf22c1b823e231b1baea761fe8a1512e442f2 614a9e849ca6ea24843795251cb30af525d5336b < 7de554cabf160e331e4442e2a9ad874ca9875921
Linux / Linux
2.6.39

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
git.kernel.org: https://git.kernel.org/stable/c/36539c4d536f851a3b346a6ebb27b51bc3d77a94 git.kernel.org: https://git.kernel.org/stable/c/35c2c05261d6f6d84aaa1355afa201d507943e76 git.kernel.org: https://git.kernel.org/stable/c/3f5e74b5db9353b01ed50f4de84e75b755f8fbc2 git.kernel.org: https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006 git.kernel.org: https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d git.kernel.org: https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2 git.kernel.org: https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0 git.kernel.org: https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2 git.kernel.org: https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921