In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:

- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.

- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.


This patch (of 2):

The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
ea2034416b54700e30371f2ad6517cbb94674083 affected < d3d5efade0c79dac1cac98c0cb1115432f804439
ea2034416b54700e30371f2ad6517cbb94674083 affected < f69551139caf6d24242a0ad049ee46b264e3aee0
ea2034416b54700e30371f2ad6517cbb94674083 affected < 1f8b91275912cd428289c1fb424bebd7ff5302bd
ea2034416b54700e30371f2ad6517cbb94674083 affected < f37de46149db49abd2b24f4f0c5a88cf4dfb5f47
ea2034416b54700e30371f2ad6517cbb94674083 affected < 6c6e8fc3c007319981647b410c29bb5775048551
ea2034416b54700e30371f2ad6517cbb94674083 affected < 3f474c33ebc2e2ca3fcb587d7de4375348f13373
ea2034416b54700e30371f2ad6517cbb94674083 affected < 3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21
ea2034416b54700e30371f2ad6517cbb94674083 affected < 7ab3fbb01bc6d79091bc375e5235d360cd9b78be
Linux Linux affected
Version Status Constraints
2.6.37 affected
0 unaffected < 2.6.37
5.10.258 unaffected ≤ 5.10.*
5.15.209 unaffected ≤ 5.15.*
6.1.175 unaffected ≤ 6.1.*
6.6.141 unaffected ≤ 6.6.*
6.12.91 unaffected ≤ 6.12.*
6.18.33 unaffected ≤ 6.18.*
7.0.10 unaffected ≤ 7.0.*
7.1 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/1f8b91275912cd428289c1fb424bebd7ff5302bd cve-icon
https://git.kernel.org/stable/c/3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21 cve-icon
https://git.kernel.org/stable/c/3f474c33ebc2e2ca3fcb587d7de4375348f13373 cve-icon
https://git.kernel.org/stable/c/6c6e8fc3c007319981647b410c29bb5775048551 cve-icon
https://git.kernel.org/stable/c/7ab3fbb01bc6d79091bc375e5235d360cd9b78be cve-icon
https://git.kernel.org/stable/c/d3d5efade0c79dac1cac98c0cb1115432f804439 cve-icon
https://git.kernel.org/stable/c/f37de46149db49abd2b24f4f0c5a88cf4dfb5f47 cve-icon
https://git.kernel.org/stable/c/f69551139caf6d24242a0ad049ee46b264e3aee0 cve-icon
History

Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops.
Title ocfs2/dlm: validate qr_numregions in dlm_match_regions()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:49.480Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53043

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses