PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-45898 Linux CVE debrief

CVE-2023-45898 is a high-severity Linux kernel flaw in ext4’s extents status handling. NVD describes it as an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent. The vulnerable range is Linux kernel 6.5 up to, but not including, 6.5.4. From a defensive standpoint, the key action is to move affected systems to 6.5.4 or a later kernel that includes the fix and to prioritize hosts that rely on ext4 and are exposed to local users or container workloads.

Vendor
Linux
Product
CVE-2023-45898
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2023-10-16
Original CVE updated
2026-05-12
Advisory published
2023-10-16
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distribution security teams, and administrators running affected 6.5-series kernels should pay attention, especially on systems where ext4 is in use and local users or containerized workloads are present. Because the CVSS vector is local and low-privilege, multi-user servers, development machines, and shared infrastructure are the most relevant operational contexts.

Technical summary

NVD records CVE-2023-45898 as a CWE-416 use-after-free in fs/ext4/extents_status.c, associated with ext4_es_insert_extent. The NVD CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local exploitation conditions with significant potential impact. The published references include the upstream fix commit, kernel release notes for 6.5.4, and mailing list discussion, which together indicate the issue was addressed in the 6.5.4 release line.

Defensive priority

High. The combination of kernel-level code execution context, local attack preconditions, and high confidentiality, integrity, and availability impact makes this worth prompt patching on affected systems.

Recommended defensive actions

  • Upgrade Linux kernels to 6.5.4 or later on affected systems.
  • Verify package manager, image, and fleet baselines so no 6.5-to-pre-6.5.4 kernels remain deployed.
  • Prioritize patching systems that permit untrusted local users, shared development access, or container workloads.
  • Confirm ext4-heavy hosts are included in remediation plans, since the flaw is in ext4 kernel code.
  • Track downstream vendor advisories and distribution backports for the fixed commit and release notes.
  • Reboot into the corrected kernel after installation and validate the running kernel version across the fleet.

Evidence notes

The core vulnerability detail comes from NVD’s CVE record: Linux kernel before 6.5.4, es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent. NVD also lists the vulnerable CPE range as Linux kernel versions starting with 6.5 and ending before 6.5.4. The linked references include the 6.5.4 changelog, the upstream patch commit, LKML discussion, and related advisory pages, which support the remediation guidance and version boundary.

Official resources

CVE published by NVD/CVE.org on 2023-10-16. The record was later modified on 2026-05-12; that modified timestamp is metadata only and does not change the original issue date.