CVE-2024-26590 is a medium-severity vulnerability affecting the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. EROFS supports per-file compression algorithms, which are indicated in the on-disk superblock to initialize the appropriate decompressor. The vulnerability arises because the kernel did not properly validate the compression algorithm type for each inode against the set of supported algorithms declared in the superblock's available compression algorithms bitmap. Specifically, a crafted EROFS image generated by the syzkaller fuzzer can specify an unsupported compression algorithm (e.g., MicroLZMA) for certain files even if that algorithm is not enabled in the kernel build. This inconsistency leads to a NULL pointer dereference in the kernel when it attempts to decompress data using a missing decompressor, causing a kernel crash (BUG). The root cause is a lack of validation on the per-file compression algorithm format against the available compression algorithms bitmap. The patch fixes this by enforcing a check against the bitmap for each compression algorithm request, preventing unsupported algorithms from being used. Additionally, it corrects an incorrect preset bitmap that was previously harmless. The vulnerability is classified under CWE-476 (NULL Pointer Dereference) and has a CVSS v3.1 base score of 5.5, reflecting its medium severity. The attack vector is local (AV:L), requiring low privileges (PR:L) but no user interaction (UI:N). The impact is limited to availability (A:H) with no confidentiality or integrity loss. No known exploits are currently reported in the wild.

For European organizations, this vulnerability primarily poses a risk of denial-of-service (DoS) on systems running vulnerable Linux kernel versions with EROFS enabled and supporting per-file compression. The kernel crash caused by the NULL pointer dereference can lead to system instability or reboot, potentially disrupting critical services. This is particularly relevant for organizations using Linux in embedded systems, network appliances, or servers where EROFS is employed for read-only compressed file systems. Since exploitation requires local access and low privileges, the threat is more significant in multi-user environments or where untrusted users have shell or limited access. The lack of confidentiality or integrity impact reduces the risk of data breaches, but availability disruptions can affect operational continuity. European sectors relying on Linux-based infrastructure for telecommunications, industrial control, or cloud services could experience service interruptions if vulnerable kernels are exploited. However, the absence of known active exploits and the medium severity score suggest the threat is moderate but should not be ignored.

European organizations should take the following specific actions to mitigate this vulnerability: 1) Identify and inventory Linux systems running kernel versions prior to the patch release date (February 22, 2024) that have EROFS enabled, especially those using per-file compression features. 2) Apply the official Linux kernel patches or upgrade to a kernel version that includes the fix for CVE-2024-26590 as soon as possible. 3) For embedded or specialized devices where kernel upgrades are challenging, consider disabling EROFS or per-file compression features if not strictly required. 4) Limit local access privileges to trusted users only, reducing the risk of local exploitation by unprivileged users. 5) Monitor system logs and kernel crash reports for signs of NULL pointer dereferences or unexpected reboots that could indicate attempted exploitation. 6) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. 7) For environments using fuzz testing tools like syzkaller, ensure that testing environments are isolated to prevent crafted images from reaching production systems.