CRITICAL
ocfs2/dlm Region OOB
CVE-2026-53309
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'. Fix the loop condition to use '<' for consistency and correctness.
02KernelScan AI Analysis
Risk summary
A privileged local user or cluster node joining an OCFS2 cluster can trigger an out-of-bounds read in the DLM region comparison logic, potentially causing a kernel panic or crash. The bug is reachable only when OCFS2 is configured with global heartbeat mode and a node attempts to join a DLM domain. Exploitation requires CAP_SYS_ADMIN or equivalent cluster management privileges.
Vulnerability analysis
The vulnerability is an off-by-one error in dlm_match_regions() in fs/ocfs2/dlm/dlmdomain.c. The inner loop iterating over remote qr_regions uses '<=' instead of '<' as its termination condition, causing it to read one element past the end of the qr_regions array when j equals qr->qr_numregions. This out-of-bounds read accesses memory beyond the allocated array, which could contain arbitrary kernel data and may cause a kernel panic or memory corruption depending on what lies adjacent. The fix is a single-character change replacing '<=' with '<', consistent with all other loops in the same function. The code path is triggered during DLM_QUERY_REGION message processing, which only occurs in global heartbeat mode when a node joins an OCFS2 cluster domain. This requires privileged access to configure and operate an OCFS2 cluster.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 760ab35040ac |
| 5.15 | 5.15.209 | c60a2710b738 |
| 6.1 | 6.1.175 | 2a0673836f01 |
| 6.12 | 6.12.91 | d5403ae28085 |
| 6.18 | 6.18.33 | 1fb7f356547d |
| 6.6 | 6.6.141 | 819d8ebad320 |
| 7.0 | 7.0.10 | 426cd8eedac8 |
| mainline | 7.1 | 01b61e8dda9b |