CVE-2024-38599: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Analysis
Technical Summary
CVE-2024-38599 addresses a vulnerability in the Linux kernel's JFFS2 (Journaling Flash File System version 2) implementation related to extended attribute (xattr) nodes. JFFS2 is a log-structured file system designed for use with flash memory devices. The vulnerability arises because xattr nodes in JFFS2 are not split across multiple eraseblocks, unlike regular inode nodes. This means that an xattr node must fit entirely within a single eraseblock. The flaw occurs when the system does not properly check the size of the requested xattr node against the size of the eraseblock minus the cleanmarker. If the xattr node size exceeds this limit, it can overflow into the next eraseblock, overwriting adjacent nodes and corrupting the file system structure. This corruption manifests as errors such as node CRC failures, unexpected node placements, and magic bitmask mismatches during eraseblock scanning. The filesystem corruption can lead to kernel memory safety issues, including KASAN (Kernel Address Sanitizer) slab-out-of-bounds reads, which may cause kernel crashes or undefined behavior. The vulnerability was discovered and reported by the Linux Verification Center using the Syzkaller fuzzing tool. It affects Linux kernel versions prior to the patch that introduced the size check for xattr nodes. This flaw can compromise the integrity and availability of the filesystem on affected devices, particularly those relying on JFFS2 for flash storage. Exploitation does not require user interaction but does require the ability to set extended attributes on files within a JFFS2 filesystem, which may be limited to privileged users or specific system contexts. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of this vulnerability depends largely on the deployment of Linux systems utilizing JFFS2 filesystems, which are commonly found in embedded devices, IoT equipment, and specialized industrial hardware. Organizations in sectors such as manufacturing, telecommunications, automotive, and critical infrastructure that use embedded Linux devices with JFFS2 may face filesystem corruption leading to device instability, data loss, or denial of service. This can disrupt operational technology (OT) environments and critical services. Additionally, kernel crashes caused by this vulnerability could be leveraged for denial-of-service attacks, potentially impacting service availability. Although exploitation requires the ability to write extended attributes, attackers with local access or compromised credentials could trigger the flaw. The integrity and availability of embedded systems are critical in many European industries, so this vulnerability poses a tangible risk to operational continuity and data integrity. The absence of known exploits reduces immediate risk, but the potential for future exploitation remains, especially as attackers target embedded Linux devices. Organizations relying on Linux-based embedded systems should assess their exposure and prioritize patching to prevent filesystem corruption and maintain system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce the size check for xattr nodes in JFFS2 to prevent overflow conditions. Ensure all embedded devices and systems running vulnerable kernel versions are updated promptly. 2. For devices where kernel updates are not immediately feasible, restrict the ability to set extended attributes on JFFS2 filesystems to trusted users only, minimizing the risk of exploitation. 3. Implement monitoring for filesystem errors and kernel logs indicating JFFS2 corruption or KASAN reports to detect potential exploitation attempts early. 4. Conduct thorough inventory and risk assessments of embedded Linux devices using JFFS2 within the organization, prioritizing patch deployment on critical systems. 5. Collaborate with device vendors to obtain updated firmware or kernel versions that address this vulnerability. 6. Employ network segmentation and access controls to limit exposure of embedded devices to untrusted networks or users, reducing the attack surface. 7. Regularly back up critical data stored on affected devices to enable recovery in case of filesystem corruption. 8. Consider alternative filesystems or storage solutions for new deployments where feasible, to reduce reliance on JFFS2 in sensitive environments.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2024-38599: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI-Powered Analysis
Technical Analysis
CVE-2024-38599 addresses a vulnerability in the Linux kernel's JFFS2 (Journaling Flash File System version 2) implementation related to extended attribute (xattr) nodes. JFFS2 is a log-structured file system designed for use with flash memory devices. The vulnerability arises because xattr nodes in JFFS2 are not split across multiple eraseblocks, unlike regular inode nodes. This means that an xattr node must fit entirely within a single eraseblock. The flaw occurs when the system does not properly check the size of the requested xattr node against the size of the eraseblock minus the cleanmarker. If the xattr node size exceeds this limit, it can overflow into the next eraseblock, overwriting adjacent nodes and corrupting the file system structure. This corruption manifests as errors such as node CRC failures, unexpected node placements, and magic bitmask mismatches during eraseblock scanning. The filesystem corruption can lead to kernel memory safety issues, including KASAN (Kernel Address Sanitizer) slab-out-of-bounds reads, which may cause kernel crashes or undefined behavior. The vulnerability was discovered and reported by the Linux Verification Center using the Syzkaller fuzzing tool. It affects Linux kernel versions prior to the patch that introduced the size check for xattr nodes. This flaw can compromise the integrity and availability of the filesystem on affected devices, particularly those relying on JFFS2 for flash storage. Exploitation does not require user interaction but does require the ability to set extended attributes on files within a JFFS2 filesystem, which may be limited to privileged users or specific system contexts. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of this vulnerability depends largely on the deployment of Linux systems utilizing JFFS2 filesystems, which are commonly found in embedded devices, IoT equipment, and specialized industrial hardware. Organizations in sectors such as manufacturing, telecommunications, automotive, and critical infrastructure that use embedded Linux devices with JFFS2 may face filesystem corruption leading to device instability, data loss, or denial of service. This can disrupt operational technology (OT) environments and critical services. Additionally, kernel crashes caused by this vulnerability could be leveraged for denial-of-service attacks, potentially impacting service availability. Although exploitation requires the ability to write extended attributes, attackers with local access or compromised credentials could trigger the flaw. The integrity and availability of embedded systems are critical in many European industries, so this vulnerability poses a tangible risk to operational continuity and data integrity. The absence of known exploits reduces immediate risk, but the potential for future exploitation remains, especially as attackers target embedded Linux devices. Organizations relying on Linux-based embedded systems should assess their exposure and prioritize patching to prevent filesystem corruption and maintain system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce the size check for xattr nodes in JFFS2 to prevent overflow conditions. Ensure all embedded devices and systems running vulnerable kernel versions are updated promptly. 2. For devices where kernel updates are not immediately feasible, restrict the ability to set extended attributes on JFFS2 filesystems to trusted users only, minimizing the risk of exploitation. 3. Implement monitoring for filesystem errors and kernel logs indicating JFFS2 corruption or KASAN reports to detect potential exploitation attempts early. 4. Conduct thorough inventory and risk assessments of embedded Linux devices using JFFS2 within the organization, prioritizing patch deployment on critical systems. 5. Collaborate with device vendors to obtain updated firmware or kernel versions that address this vulnerability. 6. Employ network segmentation and access controls to limit exposure of embedded devices to untrusted networks or users, reducing the attack surface. 7. Regularly back up critical data stored on affected devices to enable recovery in case of filesystem corruption. 8. Consider alternative filesystems or storage solutions for new deployments where feasible, to reduce reliance on JFFS2 in sensitive environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-18T19:36:34.932Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2ab2
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 11:42:20 AM
Last updated: 8/17/2025, 3:24:04 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.