LiveActive security incident?Get immediate response
CVE Record

CVE-2023-54069: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow

In the Linux kernel, the following vulnerability has been resolved: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-54069 is a Linux kernel ext4 bug that can trigger a kernel BUG during certain file allocation and write activity. The known impact from the sources is system instability or denial of service, not data theft or remote code execution.

Executive priority

Schedule patching through normal Linux kernel maintenance, with faster handling for shared servers, container hosts, and storage systems using ext4. Current evidence supports moderate urgency because the known outcome is local crash risk and the bundle reports no active exploitation.

Technical view

The ext4 multiblock allocator can overflow an ext4_lblk_t logical end calculation in ext4_mb_new_inode_pa(). That overflow can incorrectly trip a BUG_ON in fs/ext4/mballoc.c during allocation paths. Kernel stable fixes refactor best-extent adjustment and use extent_logical_end() to avoid the overflow.

Likely exposure

Exposure is most likely on Linux systems running affected kernel versions with ext4 filesystems where local users, containers, or services can create and write large or sparse files. Systems not using ext4, not allowing untrusted local writes, or already carrying the stable fix are less exposed.

Exploitation context

The source bundle includes a local reproducer and a kernel crash trace, but does not show remote exploitation, privilege escalation, or active exploitation. CISA KEV is false in the bundle. Treat this as a local denial-of-service risk unless vendor guidance adds more impact detail.

Researcher notes

Evidence is centered on upstream Linux stable commits and CVE metadata. No CVSS, CWE, exploit-in-the-wild report, or vendor-specific package matrix is provided. Validation should focus on kernel stream mapping, ext4 usage, and whether local write primitives exist in exposed workloads.

Mitigation direction

  • Upgrade to a kernel version or vendor backport containing the referenced ext4 stable fix.
  • Check Linux distribution advisories for the exact fixed package for your kernel stream.
  • Prioritize systems using ext4 with untrusted local, container, or multi-tenant write access.
  • Apply filesystem quotas or workload isolation where immediate kernel updates are not available.
  • Avoid running crash reproducers on production systems.

Validation and detection

  • Inventory kernel versions against the affected and unaffected version data in the CVE record.
  • Identify ext4-mounted systems and workloads that can create large or sparse files.
  • Confirm installed kernels include the referenced stable ext4 fix or a vendor backport.
  • Review kernel logs for BUG traces mentioning fs/ext4/mballoc.c or ext4_mb_new_inode_pa().
  • Test updates in staging with representative ext4 file allocation workloads.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-54069 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8659c5f4ffaacbe932849b98462c3d635b4eacea, fc7237e191b99f88e859316fab2b06c2c26c8344, 613f6cde5ebb005a37fda117cdda7b4126170c13, 9d4430b7f862ce8835ca4e054b6916d15c8e0862, 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9, 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9, 46772ab99409cc72241227dd8f5295f358233fda, 25a60b4533268477920faaeebd99e7e69c0735cd, cec4ef62b36b04e0bc8905732adab091f4bc1cfd, 5.4.244, 5.10.181, 5.15.113, 6.1.30, 4.14.316, 4.19.284, 6.3.4unaffected
LinuxLinux6.4, 0, 5.4.260, 5.10.200, 5.15.138, 6.1.61, 6.5.5, 6.6affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.