HIGH Published 2026-05-27

gfs2 QuotaData UAF

CVE-2026-45861

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.6MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed to remove these objects from the LRU list, causing LRU list corruption. This caused use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access already-freed objects on the LRU list. Fix this by removing qd objects from the LRU list before freeing them in qd_put(). Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local users with filesystem access can trigger a use-after-free vulnerability in the GFS2 quota subsystem during filesystem shutdown. The freed quota data object remains on the LRU list, so subsequent memory shrinker passes access or corrupt reclaimed slab memory. This can result in information disclosure (kernel heap contents), memory corruption, and kernel panic/denial of service.

Affectedfs/gfs2/quota.c (GFS2 filesystem)

Vulnerability analysis

The vulnerability stems from incomplete cleanup in the qd_put() function during GFS2 filesystem shutdown. When commit a475c5dd16e5 changed the behavior to free quota data objects synchronously instead of returning them to the LRU list, it failed to remove these objects from the LRU list before freeing them. This creates a dangling pointer situation where freed quota data objects remain linked in the LRU list. Later, when the memory shrinker (gfs2_qd_shrink_scan) runs and attempts to traverse or dispose objects on the LRU list, it accesses freed slab memory, causing a use-after-free condition. Because the object resides on a slab cache, the shrinker's list walks and disposals can read stale or reused memory (information disclosure) and corrupt newly allocated objects (integrity impact) before the invalid access triggers a kernel panic. The fix adds a single line to properly remove quota data objects from the LRU list before freeing them, ensuring list integrity and preventing the UAF.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.75	`ca7c67bdd293`
6.18	6.18.14	`1d47922b9804`
6.19	6.19.4	`80fff26d7a0c`
mainline	7.0	`22150a7d401d`