CVE-2024-14027

Vulnerability

The Linux kernel's fremovexattr() syscall contains a resource leak in its error path. When strncpy_from_user() fails while copying the extended attribute name from userspace, the function returns early without calling fdput() to release the file reference acquired by fdget(). This omission means that the reference count on the struct file is not decremented, permanently pinning the file and its associated kernel objects in memory.

Exploitation

An unprivileged local user can trigger this bug by repeatedly calling fremovexattr() with an invalid or excessively long name argument that causes strncpy_from_user() to fail. In multi-threaded processes where fdget() takes the slow path (e.g., when the file descriptor table is shared), each failed call leaks one file reference. The attacker does not require any special capabilities or authentication beyond the ability to execute code on the system.

Impact

By repeatedly exploiting this leak, an attacker can exhaust kernel memory, leading to denial of service (system instability, out-of-memory conditions, or crashes). The vulnerability does not provide any privilege escalation or data corruption; its sole impact is resource exhaustion.

Mitigation

The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)") [1], which refactored the xattr syscalls to use the CLASS(fd) pattern that automatically handles cleanup. Users should apply the latest stable kernel updates containing this commit to their Linux kernel. No workaround is available for unpatched systems.