CVE-2023-54313
Description
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix null pointer dereference in ovl_get_acl_rcu()
Following process: P1 P2 path_openat link_path_walk may_lookup inode_permission(rcu) ovl_permission acl_permission_check check_acl get_cached_acl_rcu ovl_get_inode_acl realinode = ovl_inode_real(ovl_inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL ovl_inode_upper upperdentry = ovl_i_dentry_upper(ovl_inode) d_inode(upperdentry) // returns NULL IS_POSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] [ 205.490014] ovl_get_inode_acl+0x26/0x30 [ 205.490466] get_cached_acl_rcu+0x61/0xa0 [ 205.490908] generic_permission+0x1bf/0x4e0 [ 205.491447] ovl_permission+0x79/0x1b0 [ 205.491917] inode_permission+0x15e/0x2c0 [ 205.492425] link_path_walk+0x115/0x550 [ 205.493311] path_lookupat.isra.0+0xb2/0x200 [ 205.493803] filename_lookup+0xda/0x240 [ 205.495747] vfs_fstatat+0x7b/0xb0
Fetch a reproducer in [Link].
Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a null pointer dereference in ovl_get_acl_rcu() can be triggered during a race where an overlayfs dentry is freed while a permissions check is in progress.
Vulnerability
Analysis
The vulnerability is a null pointer dereference in the Linux kernel's overlay filesystem (overlayfs), specifically in the function ovl_get_acl_rcu(). The root cause is a race condition where one process performing a path lookup (e.g., ls) may access the overlay inode's upper dentry after another process has concurrently removed the dentry_kill() that upper dentry, setting its d_inode to NULL. The code then calls IS_POSIXACL() on the resulting NULL realinode, causing a kernel panic. [1]
Exploitation
An attacker who can trigger concurrent overlayfs operations (e.g., i.e., by having two processes race on the same overlay or overlayfs mount, can cause the kernel to dereference a NULL pointer. The attack surface is local unprivileged access to a filesystem path that goes through an overlay mount. No special privileges are needed beyond the ability to trigger a path lookup while an inode is being evicted.
Impact
The impact is a denial of service (kernel panic). The NULL pointer dereference leads to a BUG: kernel NULL pointer dereference, crashing the system or killing the affected process. There is no evidence of arbitrary code execution from this bug in the references. [1]
Mitigation
The fix has been applied upstream in the Linux kernel with commit d97481c7b273, which uses the helper ovl_i_path_realinode() to safely obtain a non-null realinode. Administrators should apply the kernel update that contains this patch. The issue was fixed in kernel versions starting from that commit. [1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4d97481c7b273c4a5fb1ae5d3d536af163c53f4e19e595cc2Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.