HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53043Published Modified CNA Linux

CVE-2026-53043: ocfs2/dlm: validate qr_numregions in dlm_match_regions()

In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's ocfs2/dlm subsystem, specifically in the dlm_match_regions() function. A remote attacker with network access to the DLM_QUERY_REGION service can send a crafted message with an inflated qr_numregions field (up to 255) to drive loop iteration past the 1024-byte qr_regions buffer, which holds at most 32 valid entries. Successful exploitation reads kernel memory beyond the buffer boundary, disclosing sensitive data and potentially causing a kernel crash. Patched-image rebuilds at fix version 5.10.258 and the corresponding upstream commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53043 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel security feeds and matched against customer images, including custom-built images, within minutes of publication. Any container image packaging an affected kernel version or ocfs2/dlm-enabled userspace stack is flagged automatically during both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL (CVSS v3.1) and surfaces it at the top of the findings queue for affected images. Per-environment compliance policy weighting is applied, and the finding is routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting Linux kernel 5.10.258 (and the corresponding upstream commit 1f8b91275912cd428289c1fb424bebd7ff5302bd) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the DLM_QUERY_REGION service over the network; AV:N indicates the vulnerable code path is exposed via a network-accessible interface.

  • AuthenticationNot required

    No credentials or account are needed; PR:N means the attacker sends a crafted DLM_QUERY_REGION message without authenticating.

  • Victim interactionNot required

    No user or administrator action is required to trigger the vulnerability; the crafted network message is processed automatically by the kernel.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, memory-layout guessing, or special environmental setup.

Blast Radius

  • Reads kernel memory contents beyond the qr_regions buffer, which may expose in-memory data such as DLM state, region metadata, or adjacent kernel structures to the attacker.
  • Abnormal memory access from iterating past buffer bounds can destabilize the kernel, causing a kernel oops or system crash and disrupting all workloads on the affected node.
  • In a shared ocfs2 cluster, a single compromised or malicious peer node can send the crafted message to other cluster nodes, amplifying the impact across the storage cluster.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images in customer registries and pipelines at ingest time, including custom-built Linux-based images that bundle an affected kernel. For environments running a kernel version prior to 5.10.258 or the relevant upstream fix commits, a patched-image rebuild is available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs the configured regression suite, and opens a pull request against affected workloads; for critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the HarborGuard dashboard with fix-version details so teams can act manually. Customers relying on ocfs2 cluster networking should also consider restricting access to DLM cluster ports via network policy to limit exposure to trusted cluster peers until the patched image is rolled out.

See how HarborGuard automates this

Fix available

01f8b91275912cd428289c1fb424bebd7ff5302bd3c2d0de23ae4be22b6c18e8f0915be74d3b5fb213f474c33ebc2e2ca3fcb587d7de4375348f133735.10.2585.15.2096.1.1756.6.1416.12.916.18.336c6e8fc3c007319981647b410c29bb57750485517.0.107.17ab3fbb01bc6d79091bc375e5235d360cd9b78bed3d5efade0c79dac1cac98c0cb1115432f804439f37de46149db49abd2b24f4f0c5a88cf4dfb5f47f69551139caf6d24242a0ad049ee46b264e3aee0
Affected packages
  • Linux / Linux
    < d3d5efade0c79dac1cac98c0cb1115432f804439 (from ea2034416b54700e30371f2ad6517cbb94674083) · < f69551139caf6d24242a0ad049ee46b264e3aee0 (from ea2034416b54700e30371f2ad6517cbb94674083) · < 1f8b91275912cd428289c1fb424bebd7ff5302bd (from ea2034416b54700e30371f2ad6517cbb94674083) · < f37de46149db49abd2b24f4f0c5a88cf4dfb5f47 (from ea2034416b54700e30371f2ad6517cbb94674083) · < 6c6e8fc3c007319981647b410c29bb5775048551 (from ea2034416b54700e30371f2ad6517cbb94674083) · < 3f474c33ebc2e2ca3fcb587d7de4375348f13373 (from ea2034416b54700e30371f2ad6517cbb94674083)
  • Linux / Linux
    2.6.37
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References