CVE-2024-50247 in Linux
Summary
by MITRE • 11/09/2024
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Check if more than chunk-size bytes are written
A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/02/2025
The vulnerability identified as CVE-2024-50247 resides within the Linux kernel's ntfs3 file system driver, specifically addressing a critical issue in the decompression process of compressed data chunks. This flaw manifests when handling improperly formatted compressed data that exceeds normal decompression boundaries, creating a scenario where decompressed content expands beyond the allocated LZNT_CHUNK_SIZE buffer limits. The ntfs3 driver implements LZNT1 compression algorithm for managing file system data, and this vulnerability exploits a boundary condition in how the decompression routine handles oversized output data.
The technical implementation of this vulnerability stems from inadequate bounds checking during the decompression phase of ntfs3 file system operations. When the decompression routine encounters a malformed chunk that would theoretically produce more than LZNT_CHUNK_SIZE bytes of uncompressed data, the system fails to validate whether the output buffer can accommodate this expansion. This oversight creates an index out of bounds condition specifically affecting the s_max_off variable, which tracks maximum offsets within the decompression buffer. The flaw represents a classic buffer overflow scenario where the decompression logic does not properly enforce size constraints, allowing for memory access violations that could be exploited by malicious actors.
The operational impact of this vulnerability extends beyond simple data corruption, potentially enabling arbitrary code execution or system instability within affected Linux systems. When a maliciously crafted ntfs3 file system containing malformed compressed data is accessed, the kernel's ntfs3 driver may attempt to write beyond allocated memory boundaries, causing kernel panics, system crashes, or potentially allowing privilege escalation attacks. This vulnerability affects any Linux system running with ntfs3 support enabled, particularly those that mount ntfs3 file systems or process compressed data from ntfs3 volumes. The risk is elevated in environments where untrusted ntfs3 volumes might be mounted or where automated file system processing occurs.
Mitigation strategies for CVE-2024-50247 focus on applying the latest kernel patches that implement proper bounds checking in the ntfs3 decompression routine. System administrators should prioritize updating their Linux kernels to versions containing the patched ntfs3 driver implementation that correctly validates decompressed output sizes against LZNT_CHUNK_SIZE limits. Additionally, monitoring systems should be configured to detect suspicious ntfs3 file system access patterns, particularly when processing compressed data from untrusted sources. The vulnerability aligns with CWE-129, which addresses insufficient bounds checking, and could potentially map to ATT&CK technique T1059.005 for execution through kernel-level code manipulation. Organizations should also implement strict access controls for ntfs3 file systems and consider disabling ntfs3 support on systems where it is not essential to reduce attack surface.