PT-2026-51937 · Linux · Linux
Published
2026-06-24
·
Updated
2026-06-24
·
CVE-2026-53043
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
ocfs2/dlm: validate qr numregions in dlm match regions()
Patch series "ocfs2/dlm: fix two bugs in dlm match regions()".
In dlm match regions(), the qr numregions field from a DLM QUERY REGION
network message is used to drive loops over the qr regions buffer without
sufficient validation. This series fixes two issues:
-
Patch 1 adds a bounds check to reject messages where qr numregions exceeds O2NM MAX REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr regions buffer.
-
Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr numregions is within bounds.
This patch (of 2):
The qr numregions field from a DLM QUERY REGION network message is used
directly as loop bounds in dlm match regions() without checking against
O2NM MAX REGIONS. Since qr regions is sized for at most O2NM MAX REGIONS
(32) entries, a crafted message with qr numregions > 32 causes
out-of-bounds reads past the qr regions buffer.
Add a bounds check for qr numregions before entering the loops.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux