{"api_version":"1","generated_at":"2026-04-23T04:34:11+00:00","cve":"CVE-2024-14027","urls":{"html":"https://cve.report/CVE-2024-14027","api":"https://cve.report/api/cve/CVE-2024-14027.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-14027","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-14027"},"summary":{"title":"xattr: switch to CLASS(fd)","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\").","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-09 16:16:14","updated_at":"2026-04-06 08:16:36"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/9a3a2ae5efbbcaed37551218abed94e23c537157","name":"https://git.kernel.org/stable/c/9a3a2ae5efbbcaed37551218abed94e23c537157","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da","name":"https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08","name":"https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5a1e865e51063d6c56f673ec8ad4b6604321b455","name":"https://git.kernel.org/stable/c/5a1e865e51063d6c56f673ec8ad4b6604321b455","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-14027","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-14027","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c03185f4a23e7f89d84c9981091770e876e64480 9a3a2ae5efbbcaed37551218abed94e23c537157 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c3a5e3e872f3688ae0dc57bb78ca633921d96a91 d151b94967c8247005435b63fc60f8f4baa320da git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c3a5e3e872f3688ae0dc57bb78ca633921d96a91 a71874379ec8c6e788a61d71b3ad014a8d9a5c08 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8d5863cb33aa424fc27115ee945ad6b96ae2facb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.133 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.77 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"14027","cve":"CVE-2024-14027","epss":"0.000090000","percentile":"0.009360000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/xattr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"9a3a2ae5efbbcaed37551218abed94e23c537157","status":"affected","version":"c03185f4a23e7f89d84c9981091770e876e64480","versionType":"git"},{"lessThan":"d151b94967c8247005435b63fc60f8f4baa320da","status":"affected","version":"c3a5e3e872f3688ae0dc57bb78ca633921d96a91","versionType":"git"},{"lessThan":"a71874379ec8c6e788a61d71b3ad014a8d9a5c08","status":"affected","version":"c3a5e3e872f3688ae0dc57bb78ca633921d96a91","versionType":"git"},{"status":"affected","version":"8d5863cb33aa424fc27115ee945ad6b96ae2facb","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/xattr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.11"},{"lessThan":"6.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.133","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.77","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.13","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.133","versionStartIncluding":"6.6.51","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.77","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.13","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\")."}],"providerMetadata":{"dateUpdated":"2026-04-06T08:01:13.667Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/9a3a2ae5efbbcaed37551218abed94e23c537157"},{"url":"https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da"},{"url":"https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08"}],"title":"xattr: switch to CLASS(fd)","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-14027","datePublished":"2026-03-09T15:51:12.634Z","dateReserved":"2026-03-09T15:47:22.723Z","dateUpdated":"2026-04-06T08:01:13.667Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-09 16:16:14","lastModifiedDate":"2026-04-06 08:16:36","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"14027","Ordinal":"1","Title":"xattr: switch to CLASS(fd)","CVE":"CVE-2024-14027","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"14027","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\").","Type":"Description","Title":"xattr: switch to CLASS(fd)"}]}}}