CVE-2023-54099
Description
In the Linux kernel, the following vulnerability has been resolved:
fs: Protect reconfiguration of sb read-write from racing writes
The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as preparation of quota files) before we can take userspace writes so we are clearing SB_RDONLY flag before we are fully ready to accept userpace writes and syzbot has found a way to exploit this [1]. Also as far as I'm reading the code the filesystem remount code was protected from racing writes in the legacy mount path by the mount's MNT_READONLY flag so this is relatively new problem. It is actually fairly easy to protect remount read-write from racing writes using sb->s_readonly_remount flag so let's just do that instead of having to workaround these races in the filesystem code.
[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's filesystem remount code allows userspace writes to start before the filesystem is fully reconfigured to read-write, potentially leading to data corruption.
Vulnerability
Description
A race condition exists in the Linux kernel's filesystem reconfiguration (remount) code. When remounting a filesystem from read-only to read-write, the kernel clears the SB_RDONLY flag before the filesystem has completed all necessary internal preparations (e.g., quota file setup). This allows userspace write operations to begin immediately, racing against the filesystem's finalization steps. The issue was identified in ext4 and reported via syzbot [1].
Exploitation
Scenario
An attacker with local access and the ability to trigger a remount operation (e.g., via mount -o remount,rw) can exploit this race. By initiating concurrent write operations immediately after the SB_RDONLY flag is cleared, the attacker may cause the filesystem to operate in an inconsistent state before it is fully ready to accept writes. No special privileges beyond the ability to remount the filesystem are required.
Impact
Successful exploitation can lead to filesystem corruption, data loss, or denial of service. The race condition undermines the integrity guarantees that filesystems like ext4 rely on during the remount process. The vulnerability is particularly concerning for systems that frequently toggle filesystem read-write state.
Mitigation
The fix introduces proper protection using the sb->s_readonly_remount flag to prevent userspace writes from racing with the reconfiguration. The patch has been applied to the Linux kernel stable branches [1][2]. Users should update to the latest kernel version containing this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
60336b42456e47e4e87ec56aa0ccfe21949bc295ef44a2aba4abda85197bac541dce86c53Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03nvd
- git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757nvd
- git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191fnvd
- git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733nvd
- git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26ccnvd
- git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222bnvd
News mentions
0No linked articles in our index yet.