CVE-2023-45896
📋 TL;DR
CVE-2023-45896 is an out-of-bounds read vulnerability in the Linux kernel's ntfs3 filesystem driver. It allows a physically proximate attacker with local access to read kernel memory by mounting a specially crafted NTFS filesystem. This affects Linux systems with ntfs3 enabled that allow unprivileged users to mount removable media.
💻 Affected Systems
- Linux kernel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access could read sensitive kernel memory, potentially exposing cryptographic keys, passwords, or other privileged information, leading to full system compromise.
Likely Case
Local attackers could read kernel memory to gather information for privilege escalation or bypass security controls, particularly in multi-user environments or public kiosks.
If Mitigated
With proper controls preventing unprivileged mounts and physical access restrictions, the attack surface is significantly reduced to authorized users only.
🎯 Exploit Status
Exploitation requires physical/local access, ability to mount filesystems, and a specially crafted NTFS image. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 6.5.11 and later, or patched in commit 013ff63b649475f0ee134e2c8d0c8e65284ede50
Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.11
Restart Required: Yes
Instructions:
1. Update Linux kernel to version 6.5.11 or later. 2. For distributions with backported patches, apply security updates. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable unprivileged user mounts
linuxPrevent non-root users from mounting filesystems, which blocks the attack vector.
echo 'SUBSYSTEM=="block", ENV{UDISKS_IGNORE}="1"' > /etc/udev/rules.d/99-no-automount.rules
systemctl mask udisks2
mount -o remount,nosuid,nodev,noexec /dev/sdX
Disable ntfs3 module
linuxBlacklist the vulnerable ntfs3 kernel module to prevent loading.
echo 'blacklist ntfs3' > /etc/modprobe.d/blacklist-ntfs3.conf
rmmod ntfs3
update-initramfs -u
🧯 If You Can't Patch
- Restrict physical access to systems and removable media ports
- Implement strict mount policies allowing only trusted, verified filesystems
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if ntfs3 module is loaded: uname -r && lsmod | grep ntfs3Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 6.5.11 or later, or check if commit 013ff63b649475f0ee134e2c8d0c8e65284ede50 is present in kernel source.📡 Detection & Monitoring
Log Indicators:
- Failed mount attempts of NTFS filesystems by non-root users
- Kernel oops or warnings related to ntfs3 in dmesg or /var/log/kern.log
Network Indicators:
- None - this is a local attack requiring physical/media access
SIEM Query:
source="kern.log" AND "ntfs3" AND ("Oops" OR "BUG" OR "general protection fault")🔗 References
- https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.11
- https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=013ff63b649475f0ee134e2c8d0c8e65284ede50
- https://github.com/torvalds/linux/commit/013ff63b649475f0ee134e2c8d0c8e65284ede50
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
