← Back
2026-03-09 15:51CVE-2024-14027Linux
PUBLISHED5.2

xattr: switch to CLASS(fd)

In the Linux kernel, the following vulnerability has been resolved:

fs/xattr: missing fdput() in fremovexattr error path

In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a

file reference but returns early without calling fdput() when

strncpy_from_user() fails on the name argument. In multi-threaded processes

where fdget() takes the slow path, this permanently leaks one

file reference per call, pinning the struct file and associated kernel

objects in memory. An unprivileged local user can exploit this to cause

kernel memory exhaustion. The issue was inadvertently fixed by commit

a71874379ec8 ("xattr: switch to CLASS(fd)").

Affected products

Linux

Linux

< a71874379ec8c6e788a61d71b3ad014a8d9a5c08 - AFFECTED

Linux

<= * - UNAFFECTED

References

git.kernel.org

https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08

JSON source

https://cveawg.mitre.org/api/cve/CVE-2024-14027
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2024-14027",
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "dateUpdated": "2026-03-09T15:51:12.634Z",
    "dateReserved": "2026-03-09T15:47:22.723Z",
    "datePublished": "2026-03-09T15:51:12.634Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux",
        "dateUpdated": "2026-03-09T15:51:12.634Z"
      },
      "title": "xattr: switch to CLASS(fd)",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\")."
        }
      ],
      "affected": [
        {
          "vendor": "Linux",
          "product": "Linux",
          "programFiles": [
            "fs/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "status": "affected",
              "versionType": "git",
              "lessThan": "a71874379ec8c6e788a61d71b3ad014a8d9a5c08"
            }
          ]
        },
        {
          "vendor": "Linux",
          "product": "Linux",
          "programFiles": [
            "fs/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "6.13",
              "status": "unaffected",
              "versionType": "original_commit_for_fix",
              "lessThanOrEqual": "*"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08"
        }
      ]
    }
  }
}