CVE-2023-2513: use-after-free in ext4_xattr_set_entry (8th May 2023)

Preface: The vulnerability was fixed in Aug 2022. This is not a zero day and therefore published this month.

Background: ext4 is the default file system for many Linux distributions including Debian and Ubuntu. Furthermore, ext4 is the default file system for DigitalOcean Volumes Block Storage. Also, Google has used Ext4 on Android since Android 2.3.

To create files on Ext4, you need to format the partition with the Ext4 file system using the mkfs.ext4 command:

mke4fs -t ext4 blockdevice

Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2513

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.