目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-53040— ocfs2 文件系统 freefrag 扫描期间 bg_bits 验证漏洞

CVSS 7.1 · High EPSS 0.18% · P7
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-53040 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
ocfs2: validate bg_bits during freefrag scan
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate bg_bits during freefrag scan [BUG] A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2_IOC_INFO is issued with OCFS2_INFO_FL_NON_COHERENT. BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: use-after-free in test_bit_le include/asm-generic/bitops/le.h:21 [inline] BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline] BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline] BUG: KASAN: use-after-free in ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline] BUG: KASAN: use-after-free in ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbe/0x130 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xd1/0x650 mm/kasan/report.c:482 kasan_report+0xfb/0x140 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:186 [inline] kasan_check_range+0x11c/0x200 mm/kasan/generic.c:200 __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] test_bit_le include/asm-generic/bitops/le.h:21 [inline] ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline] ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline] ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline] ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 ocfs2_info_handle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828 ocfs2_ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 ... [CAUSE] ocfs2_info_freefrag_scan_chain() uses on-disk bg_bits directly as the bitmap scan limit. The coherent path reads group descriptors through ocfs2_read_group_descriptor(), which validates the descriptor before use. The non-coherent path uses ocfs2_read_blocks_sync() instead and skips that validation, so an impossible bg_bits value can drive the bitmap walk past the end of the block. [FIX] Compute the bitmap capacity from the filesystem format with ocfs2_group_bitmap_size(), report descriptors whose bg_bits exceeds that limit, and clamp the scan to the computed capacity. This keeps the freefrag report going while avoiding reads beyond the buffer.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux d24a10b9f8ed548981696cd36e2b4f16e6f360b1 ~ bb2906a1065ec28de021bac2ed03f2624edd7d07 -
LinuxLinux 3.0 -

二、漏洞 CVE-2026-53040 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-53040 的情报信息

登录查看更多情报信息。

CVE-2026-53040 补丁与修复 (8)

同批安全公告 · Linux · 2026-06-24 · 共 219 条

CVE-2026-529829.8 CRITICALRealtek RTL8150 网卡 use-after-free 漏洞
CVE-2026-530469.8 CRITICALksmbd Qualcomm 加密引擎异步加密 UAF 漏洞
CVE-2026-529559.8 CRITICALlibceph crush_decode() 潜在越界访问漏洞
CVE-2026-530459.8 CRITICALTegra124 EMC dll_change 检查漏洞
CVE-2026-530499.8 CRITICALGFS2 文件系统日志锁定缺失漏洞
CVE-2026-530109.8 CRITICALksmbd 内核模块 SMB2 打开会话持久重连时存在使用之后释放漏洞
CVE-2026-530889.8 CRITICALBcmgenet 驱动 bcmgenet_put_txcb 偏移错误漏洞
CVE-2026-530069.8 CRITICALIPv6 icmpv6_rcv() 中可能的 UAF 漏洞
CVE-2026-530559.8 CRITICALHisilicon SEC2 使用后释放漏洞
CVE-2026-530029.8 CRITICALnetfilter conntrack移除sprintf使用
CVE-2026-530869.8 CRITICALNet: BCMGenet 修复竞态超时处理漏洞
CVE-2026-529149.8 CRITICALbatman-adv 片段重组长度计算漏洞
CVE-2026-529939.8 CRITICALTIPC tipc_buf_append() 双重释放漏洞
CVE-2026-529319.8 CRITICALbatman-adv tp_meter 未初始化变量使用漏洞
CVE-2026-529899.8 CRITICALnvmet-tcp 传播 nvmet_tcp_build_pdu_iovec() 错误到调用者
CVE-2026-529249.8 CRITICALsctp COOKIE-ECHO处理过时导致outqueue清理
CVE-2026-529869.8 CRITICALnetfilter nf_conntrack_sip 漏洞
CVE-2026-529999.1 CRITICALNetfilter: nfnetlink_osf 匹配选项越界读漏洞
CVE-2026-529589.1 CRITICALlibceph osdmap_decode() 越界访问漏洞
CVE-2026-530439.1 CRITICALOCFS2 DLM 队列区域数验证缺陷

显示前 20 条,共 219 条。 查看全部 → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53040

暂无评论


发表评论