CVE-2023-54063
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
Syzbot reported a OOB read bug:
BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630
Call Trace:
memmove+0x25/0x60 mm/kasan/shadow.c:54 indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863 ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548 ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline]
If the member struct INDEX_BUFFER *index of struct indx_node is incorrect, that is, the value of __le32 used is greater than the value of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when memmove is called in indx_insert_into_buffer(). Fix this by adding a check in hdr_find_e().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read vulnerability in the Linux kernel's NTFS3 driver when handling malformed index buffers can lead to system crash or information disclosure.
The NTFS3 filesystem driver in the Linux kernel contains a slab-out-of-bounds read vulnerability in the indx_insert_into_buffer function, as reported by syzbot. The root cause is that the INDEX_BUFFER structure within an index node can have an incorrect size indication; specifically, the used field in the INDEX_HDR can be larger than the total field. This discrepancy is not validated before a memmove operation, resulting in a read beyond the allocated buffer when handling crafted filesystem data [1][2].
Exploitation
To trigger the bug, an attacker must be able to mount a malicious NTFS filesystem image or cause the kernel to process corrupted index data. This requires local access to the system and the ability to introduce the mount the filesystem (or have a privileged process do so). No authentication beyond normal user privileges is needed, as filesystem processing occurs in kernel context when initiating a file creation operation via the ntfs_create_inode path [1][2].
Impact
A successful exploit leads to a kernel panic or system crash due to the out-of-bounds read. In more controlled scenarios, it could allow an attacker to read sensitive kernel memory contents, potentially disclosing confidential information. The KASAN report confirms the read size of 17168 bytes beyond the allocated slab [1].
Mitigation
The vulnerability is fixed in patches committed to the Linux kernel stable tree (commit IDs 17048287ac79 and 4bf3b564e27a). Users should apply updates from their distribution or update their kernel to a version containing these fixes. No workaround is known short of patching, as the NTFS3 driver cannot be safely disabled on systems that require NTFS filesystem support [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
5cd7e1d67924017048287ac79a7e5dba10ba14bf3b564e27ab8c44949044eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/17048287ac79abd33b275ac3b5738285d406481bnvd
- git.kernel.org/stable/c/4bf3b564e27a518f158a83d5e1a50064ed6136a0nvd
- git.kernel.org/stable/c/a7e5dba10ba1402dd6c2f961a70320770865c4a5nvd
- git.kernel.org/stable/c/b8c44949044e5f7f864525fdffe8e95135ce9ce5nvd
- git.kernel.org/stable/c/cd7e1d67924081717c5c96ead758a1a77867689anvd
News mentions
0No linked articles in our index yet.