{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix invalid free tracking in ext4_xattr_move_to_block()", "id" : "2425016", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425016" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix invalid free tracking in ext4_xattr_move_to_block()\nIn ext4_xattr_move_to_block(), the value of the extended attribute\nwhich we need to move to an external block may be allocated by\nkvmalloc() if the value is stored in an external inode. So at the end\nof the function the code tried to check if this was the case by\ntesting entry->e_value_inum.\nHowever, at this point, the pointer to the xattr entry is no longer\nvalid, because it was removed from the original location where it had\nbeen stored. So we could end up calling kvfree() on a pointer which\nwas not allocated by kvmalloc(); or we could also potentially leak\nmemory by not freeing the buffer when it should be freed. Fix this by\nstoring whether it should be freed in a separate variable.", "A memory management flaw was found in the Linux kernel's ext4 filesystem extended attribute handling. In ext4_xattr_move_to_block(), when moving an extended attribute value to an external block, the code checks entry->e_value_inum to determine if the buffer was allocated via kvmalloc(). However, at cleanup time the xattr entry pointer is stale (already removed), leading to either calling kvfree() on an invalid pointer or leaking memory that should have been freed." ], "statement" : "This flaw affects ext4 filesystems using extended attributes stored in external inodes. The invalid free tracking occurs when moving large xattr values to separate blocks. While this can cause memory corruption or leaks, exploiting it requires specific filesystem operations on ext4 with large extended attributes, limiting practical attack scenarios.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54062\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54062\nhttps://lore.kernel.org/linux-cve-announce/2025122428-CVE-2023-54062-d861@gregkh/T" ], "name" : "CVE-2023-54062", "csaw" : false }