VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Oct 1, 2025· Updated Apr 6, 2026

CVE-2023-53526

CVE-2023-53526

Description

In the Linux kernel, the following vulnerability has been resolved:

jbd2: check 'jh->b_transaction' before removing it from checkpoint

Following process will corrupt ext4 image: Step 1: jbd2_journal_commit_transaction __jbd2_journal_insert_checkpoint(jh, commit_transaction) // Put jh into trans1->t_checkpoint_list journal->j_checkpoint_transactions = commit_transaction // Put trans1 into journal->j_checkpoint_transactions

Step 2: do_get_write_access test_clear_buffer_dirty(bh) // clear buffer dirty,set jbd dirty __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2

Step 3: drop_cache journal_shrink_one_cp_list jbd2_journal_try_remove_checkpoint if (!trylock_buffer(bh)) // lock bh, true if (buffer_dirty(bh)) // buffer is not dirty __jbd2_journal_remove_checkpoint(jh) // remove jh from trans1->t_checkpoint_list

Step 4: jbd2_log_do_checkpoint trans1 = journal->j_checkpoint_transactions // jh is not in trans1->t_checkpoint_list jbd2_cleanup_journal_tail(journal) // trans1 is done

Step 5: Power cut, trans2 is not committed, jh is lost in next mounting.

Fix it by checking 'jh->b_transaction' before remove it from checkpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's jbd2 journaling code can cause ext4 filesystem image corruption due to missing a 'jh->b_transaction' check before removing a journal head from a checkpoint list.

CVE-2023-53526 is a medium-severity vulnerability in the Linux kernel's jbd2 (journaling block device layer 2) subsystem, which underpins the ext4 filesystem. The root cause is a race condition in jbd2_journal_try_remove_checkpoint where a journal head (jh) is removed from a checkpoint list without verifying that it still belongs to the expected transaction. Specifically, the code checks trylock_buffer and buffer_dirty, but omits the critical check jh->b_transaction, allowing a journal head to be prematurely removed from one transaction while it has already been reattached to a different, uncommitted transaction.

Exploitation

Scenario

The vulnerability is triggered by a specific sequence of operations: a transaction (trans1) commits and inserts a journal head into its checkpoint list; a concurrent write operation (do_get_write_access) clears the buffer's dirty flag and reassigns the journal head to a new transaction (trans2); memory pressure triggers journal shrink, which calls jbd2_journal_try_remove_checkpoint; because the buffer is no longer dirty, the function removes the journal head from trans1's checkpoint list, even though it now belongs to trans2. After a power cut, trans2 is lost, and on the next mount the ext4 filesystem becomes corrupted.

Impact

An attacker with the ability to trigger memory pressure and concurrent filesystem operations (likely requiring local access or a crafted workload) can cause the ext4 filesystem to become inconsistent. This results in data corruption or loss, potentially leading to denial of service or data integrity issues. The vulnerability has a CVSS v3 score of 5.5 (Medium) and affects systems using the ext4 filesystem on Linux kernels prior to the fix.

Mitigation

The fix has been applied in multiple stable kernel commits (e.g., [1], [3], [4]) by adding the missing jh->b_transaction check before removing a journal head from the checkpoint list. Users should apply the latest kernel updates from their distribution. No workaround is available; the vulnerability is addressed only by updating to a fixed kernel version.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.15.129,<5.15.132
    • cpe:2.3:o:linux:linux_kernel:6.5:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.5:rc7:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

4
ef5fea70e591
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
dbafe636db41
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
2298f2589903
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
590a809ff743
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.