CVE-2024-50243 in Linux
Summary
by MITRE • 11/09/2024
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix general protection fault in run_is_mapped_full
Fixed deleating of a non-resident attribute in ntfs_create_inode() rollback.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2025
The vulnerability CVE-2024-50243 represents a critical general protection fault within the Linux kernel's ntfs3 filesystem driver, specifically affecting the run_is_mapped_full function during the deletion process of non-resident attributes. This flaw occurs in the ntfs_create_inode() rollback mechanism when attempting to handle the removal of filesystem entries that span multiple clusters or storage regions. The issue manifests as a kernel panic or system crash when the filesystem encounters corrupted or improperly managed metadata structures during attribute deletion operations. The ntfs3 driver, which provides read-write support for the ntfs-3g filesystem implementation, processes these operations through a complex mapping system that tracks which clusters are allocated to specific file attributes.
The technical root cause involves improper handling of memory mappings and cluster allocation states during rollback scenarios. When the filesystem attempts to delete a non-resident attribute, which spans multiple clusters, the run_is_mapped_full function fails to properly validate the mapping state before attempting to access or modify the underlying cluster structures. This condition creates a scenario where the kernel's memory management subsystem encounters invalid pointers or corrupted mapping data structures, resulting in an immediate general protection fault. The vulnerability is particularly dangerous because it operates at the kernel level where such faults can lead to complete system instability or denial of service conditions.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise data integrity and availability within ntfs-3g filesystems. Systems running Linux kernels with affected ntfs3 drivers face significant risk when processing files with complex attribute structures or during high-load operations involving frequent file creation and deletion. The flaw affects any system utilizing ntfs-3g for mounting ntfs filesystems, including backup servers, file servers, and desktop systems that access ntfs volumes. Attackers could potentially exploit this vulnerability to cause persistent system crashes or, in more sophisticated scenarios, to escalate privileges through carefully crafted filesystem operations that trigger the faulty code path. The vulnerability aligns with CWE-125: Out-of-bounds Read and CWE-787: Out-of-bounds Write, as the kernel attempts to access memory regions beyond their allocated boundaries during attribute deletion rollback operations.
Mitigation strategies for CVE-2024-50243 require immediate kernel updates to versions containing the patched ntfs3 driver implementation. System administrators should prioritize patching all affected systems, particularly those running ntfs-3g filesystems, as the vulnerability can be triggered through normal filesystem operations without requiring special privileges. The fix implemented in the patched kernel versions addresses the specific validation issues within run_is_mapped_full by ensuring proper bounds checking and memory state validation during rollback operations. Organizations should also implement monitoring solutions to detect potential system instability or unexpected crashes that might indicate exploitation attempts. Additionally, regular filesystem integrity checks using ntfsfix or similar tools can help identify and remediate corruption that might increase the likelihood of triggering this vulnerability. This vulnerability is classified under the ATT&CK technique T1059.007: Command and Scripting Interpreter: Python, as it can be exploited through automated scripts that repeatedly trigger filesystem operations to cause system instability.