CVE-2024-26692 in Linuxinfo

Summary

by MITRE • 04/03/2024

In the Linux kernel, the following vulnerability has been resolved:

smb: Fix regression in writes when non-standard maximum write size negotiated

The conversion to netfs in the 6.3 kernel caused a regression when maximum write size is set by the server to an unexpected value which is not a multiple of 4096 (similarly if the user overrides the maximum write size by setting mount parm "wsize", but sets it to a value that is not a multiple of 4096). When negotiated write size is not a multiple of 4096 the netfs code can skip the end of the final page when doing large sequential writes, causing data corruption.

This section of code is being rewritten/removed due to a large netfs change, but until that point (ie for the 6.3 kernel until now) we can not support non-standard maximum write sizes.

Add a warning if a user specifies a wsize on mount that is not a multiple of 4096 (and round down), also add a change where we round down the maximum write size if the server negotiates a value that is not a multiple of 4096 (we also have to check to make sure that we do not round it down to zero).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/11/2025

The vulnerability described in CVE-2024-26692 represents a critical data corruption issue within the Linux kernel's SMB implementation that emerged following the conversion to the netfs framework in kernel version 6.3. This regression specifically affects scenarios where the server negotiates a maximum write size that is not a multiple of the standard 4096-byte page size, or when users explicitly override this value through mount parameters. The issue stems from the interaction between the new netfs infrastructure and legacy SMB write handling mechanisms, creating a situation where data integrity is compromised during large sequential write operations.

The technical flaw manifests when the SMB client encounters a negotiated write size that does not align with the 4096-byte page boundaries required by the netfs subsystem. During large sequential writes, the code path responsible for page-level data handling skips the final portion of the last page, effectively causing data loss or corruption in the written content. This behavior occurs because the netfs framework assumes page-aligned operations and fails to properly handle cases where the negotiated write size creates partial page scenarios. The vulnerability is particularly concerning as it affects the fundamental data persistence mechanisms of network file systems, potentially leading to silent data corruption that may go undetected until data integrity verification is performed.

The operational impact of this vulnerability extends beyond simple data corruption, as it affects the reliability of network-based file operations critical to enterprise environments. Systems utilizing SMB shares with non-standard write sizes or administrators who manually configure mount parameters with non-aligned values become vulnerable to silent data loss. This issue particularly affects environments where automated backup systems, database operations, or large file transfer processes depend on consistent data integrity. The vulnerability affects the kernel version 6.3 and earlier releases, making it a significant concern for organizations that have not yet upgraded to newer kernel versions or have not applied the specific patches addressing this regression.

The mitigation strategy implemented in the fix involves proactive detection and correction of non-standard write sizes through warning mechanisms and automatic rounding down to the nearest 4096-byte boundary. When users specify a wsize parameter that is not a multiple of 4096, the system now generates a warning and automatically rounds down the value to maintain compatibility with the page-aligned requirements of the netfs framework. Additionally, when servers negotiate write sizes that are not page-aligned, the system ensures these values are rounded down appropriately while maintaining a minimum threshold to prevent rounding down to zero, which would render write operations ineffective. This approach aligns with established security practices for handling edge cases in system-level operations and follows the principle of least privilege by ensuring operations proceed within known safe boundaries. The fix demonstrates adherence to common security principles by providing clear user feedback while maintaining system functionality through graceful degradation rather than complete failure. This vulnerability classification corresponds to CWE-129 and CWE-704 within the Common Weakness Enumeration framework, representing issues related to improper input validation and incorrect implementation of security controls in kernel-level operations. The mitigation approach also reflects ATT&CK technique T1070.004 for Indicator Removal on Host, as it addresses a regression that could have led to undetected data corruption, ensuring that system integrity remains visible and verifiable through proper error handling and user notification mechanisms.

Reservation

02/19/2024

Disclosure

04/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00236

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!