CVE-2024-26590

In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4	Patch
https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9	Patch
https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724	Patch
https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199	Patch
https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4	Patch
https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9	Patch
https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724	Patch
https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2024-02-22 17:15

Updated : 2025-04-22 17:16

NVD link : CVE-2024-26590

Mitre link : CVE-2024-26590

CVE.ORG link : CVE-2024-26590

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2024-26590", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-02-22T17:15:09.103", "references": [{"url": "https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: erofs: corrige el formato de compresi\u00f3n por archivo inconsistente EROFS puede seleccionar algoritmos de compresi\u00f3n por archivo, y cada algoritmo de compresi\u00f3n por archivo debe marcarse en el superbloque del disco para la inicializaci\u00f3n. Sin embargo, syzkaller puede generar im\u00e1genes manipuladas inconsistentes que usan un tipo de algoritmo no compatible para inodos espec\u00edficos, por ejemplo, usa el tipo de algoritmo MicroLZMA incluso si no est\u00e1 configurado en `sbi->available_compr_algs`. Esto puede provocar un \"ERROR: desreferencia del puntero NULL del kernel\" inesperado si el descompresor correspondiente no est\u00e1 integrado. Solucione este problema comprobando con `sbi->available_compr_algs` para cada solicitud de m_algorithmformat. El mapa de bits preestablecido !erofs_sb_has_compr_cfgs incorrecto ahora se corrige porque antes era inofensivo."}], "lastModified": "2025-04-22T17:16:40.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "994455F4-AD13-47A7-8A3D-D64154176EFC", "versionEndExcluding": "6.6.14", "versionStartIncluding": "5.16.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EA3778C-730B-464C-8023-18CA6AC0B807", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}