CVE-2024-14027 (GCVE-0-2024-14027)

Vulnerability from cvelistv5 – Published: 2026-03-09 15:51 – Updated: 2026-03-13 16:36
VLAI?
Title
xattr: switch to CLASS(fd)
Summary
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user can exploit this to cause kernel memory exhaustion. The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)").
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: c3a5e3e872f3688ae0dc57bb78ca633921d96a91 , < d151b94967c8247005435b63fc60f8f4baa320da (git)
Affected: c3a5e3e872f3688ae0dc57bb78ca633921d96a91 , < a71874379ec8c6e788a61d71b3ad014a8d9a5c08 (git)
Affected: c03185f4a23e7f89d84c9981091770e876e64480 (git)
Affected: 8d5863cb33aa424fc27115ee945ad6b96ae2facb (git)
Create a notification for this product.
    Linux Linux Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d151b94967c8247005435b63fc60f8f4baa320da",
              "status": "affected",
              "version": "c3a5e3e872f3688ae0dc57bb78ca633921d96a91",
              "versionType": "git"
            },
            {
              "lessThan": "a71874379ec8c6e788a61d71b3ad014a8d9a5c08",
              "status": "affected",
              "version": "c3a5e3e872f3688ae0dc57bb78ca633921d96a91",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c03185f4a23e7f89d84c9981091770e876e64480",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8d5863cb33aa424fc27115ee945ad6b96ae2facb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.51",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T16:36:15.139Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da"
        },
        {
          "url": "https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08"
        }
      ],
      "title": "xattr: switch to CLASS(fd)",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-14027",
    "datePublished": "2026-03-09T15:51:12.634Z",
    "dateReserved": "2026-03-09T15:47:22.723Z",
    "dateUpdated": "2026-03-13T16:36:15.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-14027\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-09T16:16:14.313\",\"lastModified\":\"2026-03-13T19:53:46.697\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/xattr: missing fdput() in fremovexattr error path\\n\\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\\nfile reference but returns early without calling fdput() when\\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\\nwhere fdget() takes the slow path, this permanently leaks one\\nfile reference per call, pinning the struct file and associated kernel\\nobjects in memory. An unprivileged local user can exploit this to cause\\nkernel memory exhaustion. The issue was inadvertently fixed by commit\\na71874379ec8 (\\\"xattr: switch to CLASS(fd)\\\").\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nfs/xattr: falta fdput() en la ruta de error de fremovexattr\\n\\nEn el kernel de Linux, la llamada al sistema fremovexattr() llama a fdget() para adquirir una referencia de archivo, pero retorna prematuramente sin llamar a fdput() cuando strncpy_from_user() falla en el argumento \u0027name\u0027. En procesos multihilo donde fdget() toma la ruta lenta, esto fuga permanentemente una referencia de archivo por llamada, fijando la estructura \u0027struct file\u0027 y los objetos del kernel asociados en memoria. Un usuario local sin privilegios puede explotar esto para causar agotamiento de la memoria del kernel. El problema fue corregido inadvertidamente por el commit a71874379ec8 (\u0027xattr: switch to CLASS(fd)\u0027).\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.