CVE-2024-49958 is a vulnerability in the Linux kernel's OCFS2 (Oracle Cluster File System version 2) filesystem implementation. The flaw arises in the reflink workflow during the reservation of space for inline extended attributes (xattr). Specifically, the function ocfs2_reflink_xattr_inline() attempts to reserve space for inline xattrs at the destination inode after the reflink tree has already been recreated from the source inode. This reservation reduces the l_count (extent count) from 243 to 227 to allocate 256 bytes for inline xattrs without verifying if the root metadata block has sufficient space. However, the inode already contains extents beyond this reduced index (up to 230 in the reported case), leading to metadata corruption. This corruption manifests as filesystem inconsistencies detected by fsck, such as extent list records claiming invalid next free chain records, and can cause system crashes and data integrity issues. The root cause is improper ordering of operations—reserving space for inline metadata should occur before recreating the reflink tree to avoid overlapping extents. The vulnerability was reported by a customer who experienced a crash and corrupted OCFS2 filesystem. The fix involves adjusting the reservation timing to occur prior to reflink tree recreation, preventing the corruption. This vulnerability affects specific Linux kernel versions identified by commit hashes and was publicly disclosed on October 21, 2024. No known exploits are currently in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems using the OCFS2 filesystem, which is commonly deployed in clustered environments and enterprise storage solutions. Organizations relying on Linux servers with OCFS2 for critical data storage or cluster file sharing could experience filesystem corruption leading to data loss, system crashes, and downtime. This can disrupt business operations, especially in sectors like finance, manufacturing, telecommunications, and research institutions that utilize clustered Linux environments. The corruption can also complicate recovery efforts, potentially requiring manual fsck interventions or data restoration from backups. While exploitation does not appear to be remotely triggered, the vulnerability could be triggered by local users or processes performing reflink operations with inline xattrs, making it a concern for multi-user or multi-tenant environments. The integrity and availability of data are the primary impacted security properties, with confidentiality less directly affected. Given the kernel-level nature of the flaw, it could also affect containerized or virtualized workloads running on vulnerable hosts.

European organizations should prioritize updating their Linux kernels to versions containing the fix for CVE-2024-49958 as soon as patches become available from their Linux distribution vendors. Since the vulnerability relates to OCFS2, organizations should audit their infrastructure to identify systems using this filesystem and assess their exposure. For environments where immediate patching is not feasible, administrators should limit or monitor operations involving reflink and inline xattrs on OCFS2 filesystems, especially those initiated by untrusted users or automated processes. Implementing strict access controls and filesystem integrity monitoring can help detect early signs of corruption. Regular backups and tested recovery procedures are essential to mitigate potential data loss. Additionally, organizations should consider isolating critical OCFS2 storage nodes to reduce the risk of cascading failures. Collaboration with Linux distribution maintainers and monitoring security advisories for updated patches and mitigation guidance is recommended.