CVE-2024-49968 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
ext4: filesystems without casefold feature cannot be mounted with siphash
When mounting the ext4 filesystem, if the default hash version is set to DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2024-49968 represents a critical inconsistency in the Linux kernel's ext4 filesystem implementation that directly impacts system stability and security posture. This flaw occurs when administrators attempt to mount ext4 filesystems with specific hash configuration parameters while the filesystem lacks the casefold feature that would normally support such operations. The issue stems from an improper validation mechanism within the kernel's filesystem mounting code that fails to properly verify the compatibility between hash algorithm selection and filesystem feature sets.
The technical root cause of this vulnerability lies in the ext4 filesystem driver's handling of directory index (dx) hash algorithms during mount operations. When the kernel encounters a filesystem configuration where DX_HASH_SIPHASH is specified as the default hash version but the casefold feature flag is not enabled, the mounting process should gracefully fail rather than proceeding with an inconsistent state. This misconfiguration creates a scenario where the filesystem attempts to utilize a hash algorithm that requires casefold support for proper operation, yet the underlying filesystem structure cannot support this requirement. The vulnerability manifests as a kernel panic or filesystem corruption when the system attempts to perform directory operations that depend on the hash table structure.
From an operational impact perspective, this vulnerability presents significant risks to system administrators and security operations teams who may inadvertently configure ext4 filesystems with incompatible parameters. The flaw can lead to unexpected system crashes, data accessibility issues, and potential denial of service conditions across affected systems. The vulnerability directly relates to CWE-1217 which addresses improper handling of filesystem mount options and incorrect parameter validation in kernel modules. Organizations running Linux systems with ext4 filesystems that have been configured with siphash as default hash algorithm without proper casefold feature activation are at risk of system instability and potential data loss.
The security implications extend beyond simple operational concerns to include potential attack surface expansion. Attackers could potentially exploit this inconsistency to cause system crashes or create conditions where filesystem access is restricted, leading to denial of service scenarios. The vulnerability aligns with ATT&CK technique T1490 which involves creating or manipulating filesystems to disrupt system operations. System administrators should be particularly cautious when implementing filesystem configurations that involve hash algorithm selection, as improper combinations can lead to cascading failures. The proper mitigation involves ensuring that when siphash is specified as the default hash algorithm, the casefold feature is properly enabled on the filesystem, or alternatively, that the hash algorithm is configured to match the filesystem's actual feature set.
This vulnerability demonstrates the importance of proper kernel module validation and the critical need for comprehensive testing of filesystem configurations across different kernel versions. The fix implemented in the Linux kernel ensures that mount operations fail gracefully with appropriate error messages when incompatible configurations are detected, preventing the system from entering an inconsistent state. Organizations should conduct thorough audits of their ext4 filesystem configurations, particularly focusing on hash algorithm settings and casefold feature activation status, to ensure that all filesystems are properly configured according to their intended use cases and security requirements.