Impact
A race condition exists between dquot_scan_active() and quota_release_workfn() in the Linux kernel's quota subsystem. During quota deactivation the releasing list of dquot objects is swapped while another thread scans active dquots, potentially acquiring a reference to an object that has already been freed. This can lead to use‑after‑free and kernel memory corruption. The excerpted code shows how a freed dquot can be manipulated. Based on the description, it is inferred that this leads to kernel memory corruption; the designer’s intention was to prevent a cosmetic inconsistency, but the flaw threatens stability and security.
Affected Systems
Any Linux kernel build that contains the generic quota implementation and is earlier than commit 2bdc80f4619411e5bd4a3ef23f51e14021ed457c is vulnerable. This includes the standard kernel trees used by most mainstream distributions. No specific kernel version numbers are enumerated in the advisory, so all kernels that expose quota activation/deactivation without the patch commit are affected. Exact affected releases cannot be listed because the input does not provide version ranges.
Risk and Exploitability
The CVSS score is 7.8, indicating moderate severity. The EPSS score is less than 1 %, which suggests a very low but non‑zero probability of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog, so no mass exploitation has been documented. Attacking this flaw would require local or elevated privileges to trigger the race by activating or deactivating quotas, so the attack surface is restricted to trusted administrators. The CVE description does not state the privilege required; based on typical kernel privileges, it is inferred that only privileged users can activate or deactivate quotas. If an attacker succeeds, the resulting memory corruption could cause a denial of service or, if the attacker can manipulate the freed memory, privilege escalation. Because the race is subtle, exploitation may be difficult to achieve but is not impossible in environments where the quota subsystem is used heavily.
OpenCVE Enrichment
Debian DLA