LiveActive security incident?Get immediate response
CVE Record

CVE-2023-53692: ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline

In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline Syzbot found the following issue: loop0: detected capacity change from 0 to 2048 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. ================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931 Read of size 4 at addr ffff888073644750 by task syz-executor420/5067 CPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:306 print_report+0x107/0x1f0 mm/kasan/report.c:417 kasan_report+0xcd/0x100 mm/kasan/report.c:517 ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline] ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931 ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809 ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline] ext4_da_map_blocks fs/ext4/inode.c:1806 [inline] ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870 ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098 ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082 generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285 ext4_file_write_iter+0x1d0/0x18f0 call_write_iter include/linux/fs.h:2186 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f4b7a9737b9 RSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9 RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 RBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Above issue is happens when enable bigalloc and inline data feature. As commit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for bigalloc + inline. But it only resolved issue when has inline data, if inline data has been converted to extent(ext4_da_convert_inline_data_to_extent) before writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However i_data is still store inline data in this scene. Then will trigger UAF when find extent. To resolve above issue, there is need to add judge "ext4_has_inline_data(inode)" in ext4_clu_mapped().

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-53692 is a Linux kernel ext4 bug that can read freed memory under a specific filesystem configuration: ext4 with bigalloc and inline data. The public record shows a syzbot/KASAN finding, not confirmed real-world exploitation. Business impact depends on whether affected kernels mount or process such ext4 filesystems.

Executive priority

Treat this as a kernel maintenance and exposure-reduction item, not an emergency based on current evidence. Prioritize patching where systems handle untrusted storage media or disk images, and fold the fix into normal kernel update cycles elsewhere.

Technical view

The flaw is a use-after-free read in ext4_find_extent, reached through ext4_clu_mapped during delayed allocation writes when bigalloc and inline data interact after inline data conversion. The cited fix adds an ext4_has_inline_data(inode) check in ext4_clu_mapped. Affected versions include 6.2 and several stable ranges before listed fixed releases.

Likely exposure

Exposure is most likely on Linux systems running affected kernel versions that mount ext4 filesystems using both bigalloc and inline data. Systems that process untrusted disk images, loop devices, or removable media deserve closer review. The bundle does not identify affected distributions or default configurations.

Exploitation context

The sources describe a syzbot-generated kernel KASAN report and mark KEV as false. There is no cited evidence of active exploitation, public exploit availability, privilege impact, or remote attack path in the provided bundle.

Researcher notes

The trigger condition is narrow but security-relevant: bigalloc plus inline data, with inline data converted before writepages while i_data still stores inline data. The provided record lacks CVSS, CWE, exploitability analysis, and distribution mapping, so validation should stay close to kernel version and filesystem feature checks.

Mitigation direction

  • Update to a kernel release containing the referenced stable ext4 fix.
  • Follow your Linux distribution's kernel advisory for packaged fixed versions.
  • Restrict mounting of untrusted ext4 images where operationally feasible.
  • Limit privileged access required to attach loop devices or mount filesystems.
  • Prioritize systems that ingest removable media, disk images, or tenant-provided volumes.

Validation and detection

  • Inventory kernel versions against the affected and fixed version ranges in the CVE record.
  • Check whether ext4 filesystems with bigalloc and inline data are mounted or processed.
  • Review distribution advisories to confirm the exact patched package version.
  • Confirm kernel changelogs include the referenced ext4_clu_mapped inline-data fix.
  • Look for kernel crash or KASAN reports mentioning ext4_find_extent or ext4_clu_mapped.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-53692 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
9Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1ed1eef0551bebee8e56973ccd0900e3578edfb7, 6f4200ec76a0d31200c308ec5a71c68df5417004, 9404839e0c9db5a517ea83c0ca3388b39d105fdf, d440d6427a5e3a877c1c259b8d2b216ddb65e185, 81b915181c630ee1cffa052e52874fe4e1ba91ac, 131294c35ed6f777bd4e79d42af13b5c41bf2775, 131294c35ed6f777bd4e79d42af13b5c41bf2775, 131294c35ed6f777bd4e79d42af13b5c41bf2775, c0c8edbc8abbe8f16d80a1d794d1ba2c12b6f193, 4.19.270, 5.4.229, 5.10.163, 5.15.87, 6.1.4, 6.0.18unaffected
LinuxLinux6.2, 0, 4.19.271, 5.4.243, 5.10.180, 5.15.111, 6.1.28, 6.2.15, 6.3.2, 6.4affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.