{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45961", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.089Z", "datePublished": "2026-05-27T12:18:17.637Z", "dateUpdated": "2026-05-27T12:18:17.637Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:18:17.637Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix memory leaks in gfs2_fill_super error path\n\nFix two memory leaks in the gfs2_fill_super() error handling path when\ntransitioning a filesystem to read-write mode fails.\n\nFirst leak: kthread objects (thread_struct, task_struct, etc.)\nWhen gfs2_freeze_lock_shared() fails after init_threads() succeeds, the\ncreated kernel threads (logd and quotad) are never destroyed. This\noccurs because the fail_per_node label doesn't call\ngfs2_destroy_threads().\n\nSecond leak: quota bitmap buffer (8192 bytes)\nWhen gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but\nbefore other operations complete, the allocated quota bitmap is never\nfreed.\n\nThe fix moves thread cleanup to the fail_per_node label to handle all\nerror paths uniformly. gfs2_destroy_threads() is safe to call\nunconditionally as it checks for NULL pointers. Quota cleanup is added\nin gfs2_make_fs_rw() to properly handle the withdrawal case where\nquota initialization succeeds but the filesystem is then withdrawn.\n\nThread leak backtrace (gfs2_freeze_lock_shared failure):\n unreferenced object 0xffff88801d7bca80 (size 4480):\n copy_process+0x3a1/0x4670 kernel/fork.c:2422\n kernel_clone+0xf3/0x6e0 kernel/fork.c:2779\n kthread_create_on_node+0x100/0x150 kernel/kthread.c:478\n init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611\n gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265\n\nQuota leak backtrace (gfs2_make_fs_rw failure):\n unreferenced object 0xffff88812de7c000 (size 8192):\n gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409\n gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149\n gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/gfs2/ops_fstype.c", "fs/gfs2/super.c"], "versions": [{"version": "b66f723bb552ad59c2acb5d45ea45c890f84498b", "lessThan": "e54229ecf49add8451d5f765a32c86ab4446e06c", "status": "affected", "versionType": "git"}, {"version": "b66f723bb552ad59c2acb5d45ea45c890f84498b", "lessThan": "da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102", "status": "affected", "versionType": "git"}, {"version": "2f8623377f3e0cfaa80558631b8694d02a492b4c", "status": "affected", "versionType": "git"}, {"version": "c713ebf2fe3f469e4af4de60a3427689ffb7c5d7", "status": "affected", "versionType": "git"}, {"version": "c2191e507147b1a22e9170ebb2aaa0f2902fcbfa", "status": "affected", "versionType": "git"}, {"version": "9fc32dad3cdba18669c71893f3e6d96905b39b3f", "status": "affected", "versionType": "git"}, {"version": "5.10.173", "lessThan": "5.11", "status": "affected", "versionType": "semver"}, {"version": "5.15.99", "lessThan": "5.16", "status": "affected", "versionType": "semver"}, {"version": "6.1.16", "lessThan": "6.2", "status": "affected", "versionType": "semver"}, {"version": "6.2.3", "lessThan": "6.3", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/gfs2/ops_fstype.c", "fs/gfs2/super.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c"}, {"url": "https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102"}], "title": "gfs2: fix memory leaks in gfs2_fill_super error path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix memory leaks in gfs2_fill_super error path\n\nFix two memory leaks in the gfs2_fill_super() error handling path when\ntransitioning a filesystem to read-write mode fails.\n\nFirst leak: kthread objects (thread_struct, task_struct, etc.)\nWhen gfs2_freeze_lock_shared() fails after init_threads() succeeds, the\ncreated kernel threads (logd and quotad) are never destroyed. This\noccurs because the fail_per_node label doesn't call\ngfs2_destroy_threads().\n\nSecond leak: quota bitmap buffer (8192 bytes)\nWhen gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but\nbefore other operations complete, the allocated quota bitmap is never\nfreed.\n\nThe fix moves thread cleanup to the fail_per_node label to handle all\nerror paths uniformly. gfs2_destroy_threads() is safe to call\nunconditionally as it checks for NULL pointers. Quota cleanup is added\nin gfs2_make_fs_rw() to properly handle the withdrawal case where\nquota initialization succeeds but the filesystem is then withdrawn.\n\nThread leak backtrace (gfs2_freeze_lock_shared failure):\n unreferenced object 0xffff88801d7bca80 (size 4480):\n copy_process+0x3a1/0x4670 kernel/fork.c:2422\n kernel_clone+0xf3/0x6e0 kernel/fork.c:2779\n kthread_create_on_node+0x100/0x150 kernel/kthread.c:478\n init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611\n gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265\n\nQuota leak backtrace (gfs2_make_fs_rw failure):\n unreferenced object 0xffff88812de7c000 (size 8192):\n gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409\n gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149\n gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275"}], "id": "CVE-2026-45961", "lastModified": "2026-05-27T14:48:03.013", "metrics": {}, "published": "2026-05-27T14:17:12.783", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}