CVE-2024-26982 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check the inode number is not the invalid value of zero

Syskiller has produced an out of bounds access in fill_meta_index().

That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked.

The reason this causes the out of bounds access is due to following sequence of events:

1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number).

2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed.

This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is.

[[email protected]: whitespace fix]
Link: https://lkml.kernel.org/r/[email protected]

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/06/2026

The vulnerability described in CVE-2024-26982 represents a critical out-of-bounds memory access flaw within the Linux kernel's squashfs filesystem implementation. This issue stems from inadequate validation of inode numbers during metadata index operations, creating a scenario where maliciously crafted filesystem data can trigger unpredictable behavior. The vulnerability specifically affects the squashfs filesystem driver which is commonly used for read-only filesystems in embedded systems and live environments, making it particularly concerning for system stability and security. The flaw manifests when the kernel attempts to process metadata indices without proper validation of the inode number, leading to potential memory corruption and system instability.

The technical root cause of this vulnerability lies in the improper handling of inode numbers within the fill_meta_index() function of the squashfs driver. When a data read error occurs during metadata index allocation, the system sets the inode number to zero to mark the index as invalid, following the convention that zero is not a valid inode number. However, subsequent calls to locate_meta_index() fail to validate that the returned index has actually been properly filled, since it matches the zero inode number pattern. This creates a race condition where the system incorrectly assumes that a zero-valued inode number represents a valid, filled index, leading to out-of-bounds memory access when the system attempts to process data from an uninitialized metadata structure. The vulnerability follows a classic pattern of improper state validation and assumes that zero values represent valid data, violating fundamental security principles of input validation and state management.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system compromise. Attackers could exploit this flaw by creating malicious squashfs images with specially crafted metadata that triggers the out-of-bounds access during normal filesystem operations. This could result in denial of service conditions, data corruption, or in more severe scenarios, arbitrary code execution within kernel space. The vulnerability affects systems that mount squashfs filesystems, including embedded devices, live USB systems, and virtualized environments where squashfs is commonly used for read-only filesystems. The issue is particularly dangerous because it operates at the kernel level and can be triggered through normal file system access patterns, making it difficult to detect and prevent through standard user-space security measures. This vulnerability aligns with CWE-129: Improper Validation of Array Index and CWE-787: Out-of-bounds Write, both of which are classified as high-risk due to their potential for system compromise.

Mitigation strategies for this vulnerability require immediate patch application to the Linux kernel, as the fix involves adding a sanity check that validates inode numbers are not zero during index creation and returns -EINVAL when such invalid values are detected. System administrators should prioritize updating kernel versions to include the patched squashfs driver implementation, particularly in environments where squashfs filesystems are mounted or where untrusted filesystem images may be present. Additional protective measures include implementing strict filesystem access controls, monitoring for unusual filesystem behavior, and ensuring that squashfs images are validated before mounting. Organizations should also consider implementing kernel hardening measures such as stack canaries and memory protection features that can help detect and prevent exploitation attempts. From an ATT&CK perspective, this vulnerability relates to T1059.005: Command and Scripting Interpreter: Visual Basic and T1566.001: Phishing: Spearphishing Attachment, as attackers might use malicious squashfs images as attack vectors to exploit this kernel vulnerability, though the primary exploitation mechanism is direct kernel-level memory corruption rather than traditional social engineering approaches.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00280

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!