In the Linux kernel, the following vulnerability has been resolved:
fs/xattr: missing fdput() in fremovexattr error path
In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a
file reference but returns early without calling fdput() when
strncpy_from_user() fails on the name argument. In multi-threaded processes
where fdget() takes the slow path, this permanently leaks one
file reference per call, pinning the struct file and associated kernel
objects in memory. An unprivileged local user can exploit this to cause
kernel memory exhaustion. The issue was inadvertently fixed by commit
a71874379ec8 ("xattr: switch to CLASS(fd)").
References
Configurations
Configuration 1 (hide)
|
History
26 Jun 2026, 20:18
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| CWE | CWE-401 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
| References | () https://git.kernel.org/stable/c/9a3a2ae5efbbcaed37551218abed94e23c537157 - Patch | |
| References | () https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08 - Patch | |
| References | () https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da - Patch | |
| First Time |
Linux linux Kernel
Linux |
06 Apr 2026, 08:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
02 Apr 2026, 12:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
13 Mar 2026, 19:53
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
11 Mar 2026, 13:53
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
09 Mar 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-09 16:16
Updated : 2026-06-26 20:18
NVD link : CVE-2024-14027
Mitre link : CVE-2024-14027
CVE.ORG link : CVE-2024-14027
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-401
Missing Release of Memory after Effective Lifetime
