{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54196", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.498Z", "datePublished": "2025-12-30T12:09:02.801Z", "dateUpdated": "2026-01-05T10:51:26.508Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-01-05T10:51:26.508Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'\n\nSyzbot found the following issue:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000016\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000\n[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\npc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\nlr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226\nsp : ffff8000126c3800\nx29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000\nx26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000\nx23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000\nx20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0\nx17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500\nx14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500\nx11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500\nx8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\n ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\n ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744\n evict+0xec/0x334 fs/inode.c:665\n iput_final fs/inode.c:1748 [inline]\n iput+0x2c4/0x324 fs/inode.c:1774\n ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660\n ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278\n ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x804/0x11c4 fs/namei.c:3688\n do_filp_open+0xdc/0x1b8 fs/namei.c:3718\n do_sys_openat2+0xb8/0x22c fs/open.c:1311\n do_sys_open fs/open.c:1327 [inline]\n __do_sys_openat fs/open.c:1343 [inline]\n __se_sys_openat fs/open.c:1338 [inline]\n __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\n el0t_64_sync+0x18c/0x190\nCode: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)\n---[ end trace 0000000000000000 ]---\n\nAbove issue may happens as follows:\nntfs_new_inode\n mi_init\n mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory\n if (!mi->mrec)\n return -ENOMEM;\niput\n iput_final\n evict\n ntfs_evict_inode\n ni_write_inode\n\t is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref\n\nTo solve above issue if new inode failed make inode bad before call 'iput()' in\n'ntfs_new_inode()'."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/fsntfs.c"], "versions": [{"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "6d3d3283e6b4fb3f3ee05dac30ee1461930b8103", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "329fc4d3f73d865b25f2ee4eafafb040ace37ad5", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "1c5cffe0d662fb2de7b63176c2582abb69b5f538", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "db2a3cc6a3481076da6344cc62a80a4e2525f36f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/fsntfs.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.113", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.81", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.4", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.3.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103"}, {"url": "https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5"}, {"url": "https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538"}, {"url": "https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f"}], "title": "fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'\n\nSyzbot found the following issue:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000016\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000\n[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\npc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\nlr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226\nsp : ffff8000126c3800\nx29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000\nx26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000\nx23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000\nx20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0\nx17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500\nx14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500\nx11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500\nx8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\n ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\n ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744\n evict+0xec/0x334 fs/inode.c:665\n iput_final fs/inode.c:1748 [inline]\n iput+0x2c4/0x324 fs/inode.c:1774\n ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660\n ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278\n ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x804/0x11c4 fs/namei.c:3688\n do_filp_open+0xdc/0x1b8 fs/namei.c:3718\n do_sys_openat2+0xb8/0x22c fs/open.c:1311\n do_sys_open fs/open.c:1327 [inline]\n __do_sys_openat fs/open.c:1343 [inline]\n __se_sys_openat fs/open.c:1338 [inline]\n __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\n el0t_64_sync+0x18c/0x190\nCode: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)\n---[ end trace 0000000000000000 ]---\n\nAbove issue may happens as follows:\nntfs_new_inode\n mi_init\n mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory\n if (!mi->mrec)\n return -ENOMEM;\niput\n iput_final\n evict\n ntfs_evict_inode\n ni_write_inode\n\t is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref\n\nTo solve above issue if new inode failed make inode bad before call 'iput()' in\n'ntfs_new_inode()'."}], "id": "CVE-2023-54196", "lastModified": "2025-12-31T20:43:05.160", "metrics": {}, "published": "2025-12-30T13:16:07.653", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'", "id": "2426220", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426220"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2023-54196", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-54196\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54196\nhttps://lore.kernel.org/linux-cve-announce/2025123029-CVE-2023-54196-8081@gregkh/T"]}

{}