CVE-2026-53043 - Vulnerability Details

- ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Description

In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:

- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.

- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.

This patch (of 2):

The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.

Published: 2026-06-24

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< d3d5efade0c79dac1cac98c0cb1115432f804439
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< f69551139caf6d24242a0ad049ee46b264e3aee0
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< 1f8b91275912cd428289c1fb424bebd7ff5302bd
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< f37de46149db49abd2b24f4f0c5a88cf4dfb5f47
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< 6c6e8fc3c007319981647b410c29bb5775048551
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< 3f474c33ebc2e2ca3fcb587d7de4375348f13373
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< 3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21
`ea2034416b54700e30371f2ad6517cbb94674083`	affected	< 7ab3fbb01bc6d79091bc375e5235d360cd9b78be

Linux

affected

Version	Status	Constraints
`2.6.37`	affected	—
`0`	unaffected	< 2.6.37
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ea2034416b54700e30371f2ad6517cbb94674083,d3d5efade0c79dac1cac98c0cb1115432f804439)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,f69551139caf6d24242a0ad049ee46b264e3aee0)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,1f8b91275912cd428289c1fb424bebd7ff5302bd)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,f37de46149db49abd2b24f0c5a88cf4dfb5f47)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,6c6e8fc3c007319981647b410c29bb5775048551)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,3f474c33ebc2e2ca3fcb587d7de4375348f13373)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21)`	affected	code_commit	—
`[ea2034416b54700e30371f2ad6517cbb94674083,7ab3fbb01bc6d79091bc375e5235d360cd9b78be)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.37`	affected	semver	—
`[0,2.6.37)`	unaffected	semver	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00521.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1f8b91275912cd428289c1fb424bebd7ff5302bd
https://git.kernel.org/stable/c/3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21
https://git.kernel.org/stable/c/3f474c33ebc2e2ca3fcb587d7de4375348f13373
https://git.kernel.org/stable/c/6c6e8fc3c007319981647b410c29bb5775048551
https://git.kernel.org/stable/c/7ab3fbb01bc6d79091bc375e5235d360cd9b78be
https://git.kernel.org/stable/c/d3d5efade0c79dac1cac98c0cb1115432f804439
https://git.kernel.org/stable/c/f37de46149db49abd2b24f4f0c5a88cf4dfb5f47
https://git.kernel.org/stable/c/f69551139caf6d24242a0ad049ee46b264e3aee0
https://lore.kernel.org/linux-cve-announce/2026062457-CVE-2026-53043-5980@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53043
https://www.cve.org/CVERecord?id=CVE-2026-53043

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Fri, 26 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-193 CWE-787

Fri, 26 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026062457-CVE-2026-53043-5980@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53043 https://www.cve.org/CVERecord?id=CVE-2026-53043

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-193 CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qr_numregions in dlm_match_regions() Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()". In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION network message is used to drive loops over the qr_regions buffer without sufficient validation. This series fixes two issues: - Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer. - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds. This patch (of 2): The qr_numregions field from a DLM_QUERY_REGION network message is used directly as loop bounds in dlm_match_regions() without checking against O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS (32) entries, a crafted message with qr_numregions > 32 causes out-of-bounds reads past the qr_regions buffer. Add a bounds check for qr_numregions before entering the loops.
Title		ocfs2/dlm: validate qr_numregions in dlm_match_regions()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1f8b91275912cd428289c1fb424bebd7ff5302bd https://git.kernel.org/stable/c/3c2d0de23ae4be22b6c18e8f0915be74d3b5fb21 https://git.kernel.org/stable/c/3f474c33ebc2e2ca3fcb587d7de4375348f13373 https://git.kernel.org/stable/c/6c6e8fc3c007319981647b410c29bb5775048551 https://git.kernel.org/stable/c/7ab3fbb01bc6d79091bc375e5235d360cd9b78be https://git.kernel.org/stable/c/d3d5efade0c79dac1cac98c0cb1115432f804439 https://git.kernel.org/stable/c/f37de46149db49abd2b24f4f0c5a88cf4dfb5f47 https://git.kernel.org/stable/c/f69551139caf6d24242a0ad049ee46b264e3aee0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:49.480Z

Updated: 2026-06-28T06:38:24.551Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53043

Vulnrichment

No data.

NVD

No data.

Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53043 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses

CWE-1285

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object