CVE-2023-54196

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-54196
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54196.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-54196
Downstream
Published
2025-12-30T12:09:02.801Z
Modified
2026-01-05T21:24:04.058279Z
Summary
fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix NULL pointer dereference in 'niwriteinode'

Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : isrecinuse fs/ntfs3/ntfs.h:313 [inline] pc : niwriteinode+0xac/0x798 fs/ntfs3/frecord.c:3232 lr : niwriteinode+0xa0/0x798 fs/ntfs3/frecord.c:3226 sp : ffff8000126c3800 x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: isrecinuse fs/ntfs3/ntfs.h:313 [inline] niwriteinode+0xac/0x798 fs/ntfs3/frecord.c:3232 ntfsevictinode+0x54/0x84 fs/ntfs3/inode.c:1744 evict+0xec/0x334 fs/inode.c:665 iputfinal fs/inode.c:1748 [inline] iput+0x2c4/0x324 fs/inode.c:1774 ntfsnewinode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 ntfscreateinode+0x20c/0xe78 fs/ntfs3/inode.c:1278 ntfscreate+0x54/0x74 fs/ntfs3/namei.c:100 lookupopen fs/namei.c:3413 [inline] openlastlookups fs/namei.c:3481 [inline] pathopenat+0x804/0x11c4 fs/namei.c:3688 dofilpopen+0xdc/0x1b8 fs/namei.c:3718 dosysopenat2+0xb8/0x22c fs/open.c:1311 dosysopen fs/open.c:1327 [inline] __dosysopenat fs/open.c:1343 [inline] __sesysopenat fs/open.c:1338 [inline] __arm64sysopenat+0xb0/0xe0 fs/open.c:1338 __invokesyscall arch/arm64/kernel/syscall.c:38 [inline] invokesyscall arch/arm64/kernel/syscall.c:52 [inline] el0svccommon+0x138/0x220 arch/arm64/kernel/syscall.c:142 doel0svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t64synchandler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t64sync+0x18c/0x190 Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) ---[ end trace 0000000000000000 ]---

Above issue may happens as follows: ntfsnewinode miinit mi->mrec = kmalloc(sbi->recordsize, GFPNOFS); -->failed to allocate memory if (!mi->mrec) return -ENOMEM; iput iputfinal evict ntfsevictinode niwriteinode isrecinuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref

To solve above issue if new inode failed make inode bad before call 'iput()' in 'ntfsnewinode()'.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54196.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
82cae269cfa953032fbb8980a7d554d60fb00b17
Fixed
6d3d3283e6b4fb3f3ee05dac30ee1461930b8103
Fixed
329fc4d3f73d865b25f2ee4eafafb040ace37ad5
Fixed
1c5cffe0d662fb2de7b63176c2582abb69b5f538
Fixed
db2a3cc6a3481076da6344cc62a80a4e2525f36f

Affected versions

v5.*
v5.14
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.100
v5.15.101
v5.15.102
v5.15.103
v5.15.104
v5.15.105
v5.15.106
v5.15.107
v5.15.108
v5.15.109
v5.15.11
v5.15.110
v5.15.111
v5.15.112
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.87
v5.15.88
v5.15.89
v5.15.9
v5.15.90
v5.15.91
v5.15.92
v5.15.93
v5.15.94
v5.15.95
v5.15.96
v5.15.97
v5.15.98
v5.15.99
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.3.1
v6.3.2
v6.3.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54196.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
5.15.113
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.81
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.3.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54196.json"