CVE-2024-26590

erofs: fix inconsistent per-file compression format

Description

In the Linux kernel, the following vulnerability has been resolved: erofs: fix inconsistent per-file compression format EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9 patch
https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724 patch
https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199 patch
https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4 patch

Frequently Asked Questions

What is the severity of CVE-2024-26590?
CVE-2024-26590 has been scored as a medium severity vulnerability.
How to fix CVE-2024-26590?
To fix CVE-2024-26590, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-26590 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-26590 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-26590?
CVE-2024-26590 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.