CVE-2023-54069: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
When we calculate the end position of ext4_free_extent, this position may
be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if
ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the
computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not
the first case of adjusting the best extent, that is, new_bex_end > 0, the
following BUG_ON will be triggered:
=========================================================
kernel BUG at fs/ext4/mballoc.c:5116!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279
RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430
Call Trace:
<TASK>
ext4_mb_use_best_found+0x203/0x2f0
ext4_mb_try_best_found+0x163/0x240
ext4_mb_regular_allocator+0x158/0x1550
ext4_mb_new_blocks+0x86a/0xe10
ext4_ext_map_blocks+0xb0c/0x13a0
ext4_map_blocks+0x2cd/0x8f0
ext4_iomap_begin+0x27b/0x400
iomap_iter+0x222/0x3d0
__iomap_dio_rw+0x243/0xcb0
iomap_dio_rw+0x16/0x80
=========================================================
A simple reproducer demonstrating the problem:
mkfs.ext4 -F /dev/sda -b 4096 100M
mount /dev/sda /tmp/test
fallocate -l1M /tmp/test/tmp
fallocate -l10M /tmp/test/file
fallocate -i -o 1M -l16777203M /tmp/test/file
fsstress -d /tmp/test -l 0 -n 100000 -p 8 &
sleep 10 && killall -9 fsstress
rm -f /tmp/test/tmp
xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"
We simply refactor the logic for adjusting the best extent by adding
a temporary ext4_free_extent ex and use extent_logical_end() to avoid
overflow, which also simplifies the code.
Security readout for executives and security teams
Plain-English summary
CVE-2023-54069 is a Linux kernel ext4 bug that can trigger a kernel BUG during certain file allocation and write activity. The known impact from the sources is system instability or denial of service, not data theft or remote code execution.
Executive priority
Schedule patching through normal Linux kernel maintenance, with faster handling for shared servers, container hosts, and storage systems using ext4. Current evidence supports moderate urgency because the known outcome is local crash risk and the bundle reports no active exploitation.
Technical view
The ext4 multiblock allocator can overflow an ext4_lblk_t logical end calculation in ext4_mb_new_inode_pa(). That overflow can incorrectly trip a BUG_ON in fs/ext4/mballoc.c during allocation paths. Kernel stable fixes refactor best-extent adjustment and use extent_logical_end() to avoid the overflow.
Likely exposure
Exposure is most likely on Linux systems running affected kernel versions with ext4 filesystems where local users, containers, or services can create and write large or sparse files. Systems not using ext4, not allowing untrusted local writes, or already carrying the stable fix are less exposed.
Exploitation context
The source bundle includes a local reproducer and a kernel crash trace, but does not show remote exploitation, privilege escalation, or active exploitation. CISA KEV is false in the bundle. Treat this as a local denial-of-service risk unless vendor guidance adds more impact detail.
Researcher notes
Evidence is centered on upstream Linux stable commits and CVE metadata. No CVSS, CWE, exploit-in-the-wild report, or vendor-specific package matrix is provided. Validation should focus on kernel stream mapping, ext4 usage, and whether local write primitives exist in exposed workloads.
Mitigation direction
Upgrade to a kernel version or vendor backport containing the referenced ext4 stable fix.
Check Linux distribution advisories for the exact fixed package for your kernel stream.
Prioritize systems using ext4 with untrusted local, container, or multi-tenant write access.
Apply filesystem quotas or workload isolation where immediate kernel updates are not available.
Avoid running crash reproducers on production systems.
Validation and detection
Inventory kernel versions against the affected and unaffected version data in the CVE record.
Identify ext4-mounted systems and workloads that can create large or sparse files.
Confirm installed kernels include the referenced stable ext4 fix or a vendor backport.
Review kernel logs for BUG traces mentioning fs/ext4/mballoc.c or ext4_mb_new_inode_pa().
Test updates in staging with representative ext4 file allocation workloads.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-54069 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
7Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 24, 2025, 12:23 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.