CVE-2023-52601: jfs: fix array-index-out-of-bounds in dbAdjTree
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix array-index-out-of-bounds in dbAdjTree
Currently there is a bound check missing in the dbAdjTree while
accessing the dmt_stree. To add the required check added the bool is_ctl
which is required to determine the size as suggest in the following
commit.
https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/
Security readout for executives and security teams
Plain-English summary
CVE-2023-52601 is a Linux kernel flaw in the JFS filesystem code. A missing bounds check can cause out-of-bounds array access. It is rated high because a local user could potentially affect confidentiality, integrity, and availability. It is not listed in KEV, and the provided sources do not show active exploitation.
Executive priority
Treat as a high-priority kernel maintenance item, especially on shared Linux servers, developer hosts, and container or workload platforms with local users. It is not currently supported by sources as an internet-exploited emergency, but kernel privilege-impact bugs deserve timely patching.
Technical view
The issue is CWE-129 in jfs dbAdjTree, where dmt_stree access lacked a required bounds check. The Linux fix adds logic to determine the correct size before access. CVSS 3.1 is 7.8: local attack vector, low complexity, low privileges, no user interaction, with high CIA impact.
Likely exposure
Exposure is mainly Linux systems running affected kernels with JFS filesystem support reachable by local users. Remote-only services are less directly exposed unless an attacker already has local code execution or account access. Distribution backports may change version-based assessment.
Exploitation context
The CVE record indicates local, low-privilege exploitation conditions. The source bundle includes kernel stable fixes and Debian LTS advisories, but no KEV listing or cited evidence of exploitation in the wild. No exploit maturity claims should be made from these sources.
Researcher notes
The affected component is JFS dbAdjTree bounds handling. The CVE affected data lists broad Linux kernel version ranges and multiple stable commit references. Because distributions backport fixes, validate by vendor package metadata or commit presence rather than raw kernel version alone.
Mitigation direction
Apply Linux kernel updates that include the referenced stable JFS fix.
Use distribution security advisories, not only upstream version numbers, to confirm remediation.
Prioritize multi-user Linux systems and systems where untrusted users have shell or workload access.
For Debian LTS, review the cited Debian advisories and install the relevant kernel updates.
Validation and detection
Inventory Linux kernel versions and distribution kernel package levels.
Check whether installed kernels include the referenced upstream stable commit or distro backport.
Identify systems with JFS support or JFS filesystems in use.
Confirm vulnerability scanner findings against vendor advisories and kernel changelogs.
Verify reboot into the remediated kernel after patch installation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-129: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
2ADP providers
11Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-129 · source CWE mapping
Improper Validation of Array Index
Improper Validation of Array Index represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.