{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52526", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.318Z", "datePublished": "2024-03-02T21:52:32.261Z", "dateUpdated": "2024-12-19T08:21:29.277Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:21:29.277Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix memory leak of LZMA global compressed deduplication\n\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren't properly released, which could slowly cause\nunexpected OOMs hours later.\n\nLet's fix it now (LZ4 and DEFLATE don't have this issue.)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/erofs/decompressor_lzma.c"], "versions": [{"version": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "lessThan": "6a5a8f0a9740f865693d5aa97a42cc4504538e18", "status": "affected", "versionType": "git"}, {"version": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "lessThan": "c955751cbf864cf2055117dd3fe7f780d2a57b56", "status": "affected", "versionType": "git"}, {"version": "5c2a64252c5dc4cfe78e5b2a531c118894e3d155", "lessThan": "75a5221630fe5aa3fedba7a06be618db0f79ba1e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/erofs/decompressor_lzma.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.57", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.7", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18"}, {"url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56"}, {"url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e"}], "title": "erofs: fix memory leak of LZMA global compressed deduplication", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-04T14:37:17.181611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:24.983Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.817Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.817Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-04T14:37:17.181611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:14.674Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "erofs: fix memory leak of LZMA global compressed deduplication", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5c2a64252c5d", "lessThan": "6a5a8f0a9740", "versionType": "git"}, {"status": "affected", "version": "5c2a64252c5d", "lessThan": "c955751cbf86", "versionType": "git"}, {"status": "affected", "version": "5c2a64252c5d", "lessThan": "75a5221630fe", "versionType": "git"}], "programFiles": ["fs/erofs/decompressor_lzma.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1"}, {"status": "unaffected", "version": "0", "lessThan": "6.1", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.57", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.7", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/erofs/decompressor_lzma.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18"}, {"url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56"}, {"url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix memory leak of LZMA global compressed deduplication\n\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren't properly released, which could slowly cause\nunexpected OOMs hours later.\n\nLet's fix it now (LZ4 and DEFLATE don't have this issue.)"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:34.948Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52526", "state": "PUBLISHED", "dateUpdated": "2024-11-04T14:48:34.948Z", "dateReserved": "2024-02-20T12:30:33.318Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-03-02T21:52:32.261Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8F162B2-4FA0-4B04-B738-46FC68746E46", "versionEndExcluding": "6.1.57", "versionStartIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "830A824C-F212-4FDC-ADEF-0EBEC6B2365B", "versionEndExcluding": "6.5.7", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "84267A4F-DBC2-444F-B41D-69E15E1BEC97", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "FB440208-241C-4246-9A83-C1715C0DAA6C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "0DC421F1-3D5A-4BEF-BF76-4E468985D20B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc4:*:*:*:*:*:*", "matchCriteriaId": "00AB783B-BE05-40E8-9A55-6AA457D95031", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix memory leak of LZMA global compressed deduplication\n\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren't properly released, which could slowly cause\nunexpected OOMs hours later.\n\nLet's fix it now (LZ4 and DEFLATE don't have this issue.)"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: erofs: corrige la p\u00e9rdida de memoria de la deduplicaci\u00f3n comprimida global LZMA Al estresar las im\u00e1genes microLZMA EROFS con la nueva funci\u00f3n de deduplicaci\u00f3n comprimida global habilitada (`-Ededupe`), encontr\u00e9 algunas p\u00e1ginas temporales de corta duraci\u00f3n no se publicaron correctamente, lo que podr\u00eda causar OOM inesperados horas m\u00e1s tarde. Solucion\u00e9moslo ahora (LZ4 y DEFLATE no tienen este problema)."}], "id": "CVE-2023-52526", "lastModified": "2024-12-11T15:19:11.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-03-02T22:15:48.360", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6a5a8f0a9740f865693d5aa97a42cc4504538e18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/75a5221630fe5aa3fedba7a06be618db0f79ba1e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c955751cbf864cf2055117dd3fe7f780d2a57b56"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: erofs: fix memory leak of LZMA global compressed deduplication", "id": "2267791", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267791"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nerofs: fix memory leak of LZMA global compressed deduplication\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren't properly released, which could slowly cause\nunexpected OOMs hours later.\nLet's fix it now (LZ4 and DEFLATE don't have this issue.)", "A memory leak flaw was found in the Linux Kernel in the LZMA global compressed deduplication. This flaw allows a local user to crash the system."], "name": "CVE-2023-52526", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52526\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52526\nhttps://lore.kernel.org/linux-cve-announce/2024030254-CVE-2023-52526-8928@gregkh/T/#u"], "threat_severity": "Low", "upstream_fix": "kernel 6.1.57, kernel 6.5.7, kernel 6.6"}