CVE-2023-54077
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix memory leak if ntfs_read_mft failed
Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak.
1) attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set. 2) next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run 3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run 4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported:
unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 ...
Fix this by always setting is_root and NI_FLAG_DIR together.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory leak in Linux NTFS3 driver when ntfs_read_mft fails due to inconsistent flag setting, leading to un freed allocation.
In the Linux kernel's ntfs3 filesystem driver, a memory leak occurs in the ntfs_read_mft() function during failure handling. When processing attributes, the ATTR_ROOT label sets is_root = true but does not consistently set ni->ni_flags |= NI_FLAG_DIR. If a subsequent attribute at ATTR_ALLOC allocates ni->dir.alloc_run, the cleanup function ni_clear() frees the wrong structure because it checks NI_FLAG_DIR to decide which run to free, causing the allocated ni->dir.alloc_run to be leaked [1][2][3].
Exploitation
The vulnerability can be triggered by mounting a specially crafted NTFS filesystem that causes ntfs_read_mft() to fail after setting is_root but before NI_FLAG_DIR is set, and then allocates ni->dir.alloc_run at ATTR_ALLOC. An attacker with the ability to mount a malicious NTFS volume (e.g., via a USB drive or network filesystem) can exploit this. No authentication is required beyond local access to mount the filesystem.
Impact
A successful exploitation leads to a kernel memory leak, which can exhaust system memory over time, potentially causing a denial of service (DoS). The leak was reported via kmemleak showing an unreferenced object of size 64 bytes [1].
Mitigation
The fix is to always set is_root and NI_FLAG_DIR together at ATTR_ROOT, ensuring consistent state. Patches have been applied to the Linux kernel stable branches [1][2][3]. Users should update their kernels to include the fix. No workaround is available other than avoiding untrusted NTFS mounts.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
53030f2b9b3321bc6bb657dfb93bf79f989683bb0d3eb475fbfa434c60157Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06nvd
- git.kernel.org/stable/c/3030f2b9b3329db3948c1a145a5493ca6f617d50nvd
- git.kernel.org/stable/c/3bb0d3eb475f01744ce6d6e998dfbd80220852a1nvd
- git.kernel.org/stable/c/93bf79f989688852deade1550fb478b0a4d8daa8nvd
- git.kernel.org/stable/c/bfa434c60157c9793e9b12c9b68ade02aff9f803nvd
News mentions
0No linked articles in our index yet.