Bug 2363696 (CVE-2023-53137)

This CVE-2023-53137 has been officially rejected upstream because the original ext4-level fix it referred to (8dac5a63cf79707b...) was later reverted in Linux v6.5 (3658840cd363 ext4: Remove ext4 locking of moved directory). The upstream maintainers determined that the problem was more appropriately addressed at the VFS (Virtual Filesystem) layer, rather than within the ext4 filesystem itself. A new set of commits, starting with 28eceeda130f (fs: Lock moved directories) and followed by several refinements (66d8fc0539b0, 22e111ed6c83), implemented proper directory move locking across all filesystems. These commits are present in all maintained stable and LTS kernels, effectively rendering the ext4-specific fix obsolete. However, in older kernel branches (around v6.3–v6.4) that contain only the ext4-level patch and not the VFS-level locking changes, a narrow race condition could still theoretically occur when renaming directories, potentially leading to metadata corruption. Because triggering this race requires local access, precise timing, and provides no privilege escalation, the impact level is Low and the CVSS score should reflect low severity. In summary, while the CVE has been rejected upstream due to the alternate global fix, it can still be treated as a Low-impact condition for legacy kernels that include 8dac5a63cf79707b but lack the VFS-level locking commits (28eceeda130f and later).