CVE-2023-54077 Affecting perf-debuginfo package, versions <0:6.1.29-47.49.amzn2023
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-AMZN2023-PERFDEBUGINFO-15314942
- published19 Feb 2026
- disclosed24 Dec 2025
Introduced: 24 Dec 2025
CVE-2023-54077 (opens in a new tab)How to fix?
Upgrade Amazon-Linux:2023 perf-debuginfo to version 0:6.1.29-47.49.amzn2023 or higher.
This issue was patched in ALAS2023-2023-184.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perf-debuginfo package and not the perf-debuginfo package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix memory leak if ntfs_read_mft failed
Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak.
- attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set.
- next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run
- in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run
- because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported:
unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 ...
Fix this by always setting is_root and NI_FLAG_DIR together.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-54077
- https://git.kernel.org/stable/c/1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06
- https://git.kernel.org/stable/c/3030f2b9b3329db3948c1a145a5493ca6f617d50
- https://git.kernel.org/stable/c/3bb0d3eb475f01744ce6d6e998dfbd80220852a1
- https://git.kernel.org/stable/c/93bf79f989688852deade1550fb478b0a4d8daa8
- https://git.kernel.org/stable/c/bfa434c60157c9793e9b12c9b68ade02aff9f803