CVE-2023-53311
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, nilfs_evict_inode() could cause use-after-free read for nilfs_root if inodes are left in "garbage_list" and released by nilfs_dispose_list at the end of nilfs_detach_log_writer(), and this bug was fixed by commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()"). However, it turned out that there is another possibility of UAF in the call path where mark_inode_dirty_sync() is called from iput(): nilfs_detach_log_writer() nilfs_dispose_list() iput() mark_inode_dirty_sync() __mark_inode_dirty() nilfs_dirty_inode() __nilfs_mark_inode_dirty() nilfs_load_inode_block() --> causes UAF of nilfs_root struct This can happen after commit 0ae45f63d4ef ("vfs: add support for a lazytime mount option"), which changed iput() to call mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME flag and i_nlink is non-zero. This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only") when using the syzbot reproducer, but the issue has potentially existed before. Fix this issue by adding a "purging flag" to the nilfs structure, setting that flag while disposing the "garbage_list" and checking it in __nilfs_mark_inode_dirty(). Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()"), this patch does not rely on ns_writer to determine whether to skip operations, so as not to break recovery on mount. The nilfs_salvage_orphan_logs routine dirties the buffer of salvaged data before attaching the log writer, so changing __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL will cause recovery write to fail. The purpose of using the cleanup-only flag is to allow for narrowing of such conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-01
Generated
2026-05-07
AI Q&A
2025-09-16
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53311
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.0 (inc) to 4.14.323 (exc)
linux linux_kernel From 4.15 (inc) to 4.19.292 (exc)
linux linux_kernel From 4.20 (inc) to 5.4.254 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.191 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.127 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.46 (exc)
linux linux_kernel From 6.2 (inc) to 6.4.11 (exc)
linux linux_kernel 6.5
linux linux_kernel 6.5
linux linux_kernel 6.5
linux linux_kernel 6.5
linux linux_kernel 6.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UAF) bug in the Linux kernel's nilfs2 filesystem. It occurs during the unmount process when the nilfs_root structure is accessed after it has been freed. Specifically, after detaching the log writer, certain inode operations can cause the system to reference the freed nilfs_root structure, leading to potential memory corruption or crashes. The issue arises from the interaction between inode dirtying functions and the lifecycle of nilfs_root during unmounting. It was fixed by adding a purging flag to prevent operations on the freed structure.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free memory errors in the Linux kernel when using the nilfs2 filesystem. Such errors can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or escalate privileges if exploited. Therefore, it can impact system reliability and security.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart