{"api_version":"1","generated_at":"2026-05-13T19:30:40+00:00","cve":"CVE-2024-38599","urls":{"html":"https://cve.report/CVE-2024-38599","api":"https://cve.report/api/cve/CVE-2024-38599.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-38599","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-38599"},"summary":{"title":"jffs2: prevent xattr node from overflowing the eraseblock","description":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","state":"PUBLISHED","assigner":"Linux","published_at":"2024-06-19 14:15:19","updated_at":"2026-05-12 12:16:54"},"problem_types":["CWE-125"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913","name":"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b","name":"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11","name":"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098","name":"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275","name":"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8","name":"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df","name":"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb","name":"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07","name":"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-38599","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38599","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe 2904e1d9b64f72d291095e3cbb31634f08788b11 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe 526235dffcac74c7823ed504dfac4f88d84ba5df git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe a1d21bcd78cf4a4353e1e835789429c6b76aca8b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe f06969df2e40ab1dc8f4364a5de967830c74a098 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe af82d8d2179b7277ad627c39e7e0778f1c86ccdb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe 8d431391320c5c5398ff966fb3a95e68a7def275 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe 978a12c91b38bf1a213e567f3c20e2beef215f07 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aa98d7cf59b5b0764d3502662053489585faf2fe c6854e5a267c28300ff045480b5a7ee7f6f1d913 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.18","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.18 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.316 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.278 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.219 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.161 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.93 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.33 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.12 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9.3 6.9.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"38599","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-04T17:21:43.499Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2024-38599","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-09-10T17:13:27.704743Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-09-11T17:34:54.313Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:55:02.555Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/jffs2/xattr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"2904e1d9b64f72d291095e3cbb31634f08788b11","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"526235dffcac74c7823ed504dfac4f88d84ba5df","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"a1d21bcd78cf4a4353e1e835789429c6b76aca8b","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"f06969df2e40ab1dc8f4364a5de967830c74a098","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"af82d8d2179b7277ad627c39e7e0778f1c86ccdb","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"8d431391320c5c5398ff966fb3a95e68a7def275","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"978a12c91b38bf1a213e567f3c20e2beef215f07","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"},{"lessThan":"c6854e5a267c28300ff045480b5a7ee7f6f1d913","status":"affected","version":"aa98d7cf59b5b0764d3502662053489585faf2fe","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/jffs2/xattr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.18"},{"lessThan":"2.6.18","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.316","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.278","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.219","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.161","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.93","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.33","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.12","versionType":"semver"},{"lessThanOrEqual":"6.9.*","status":"unaffected","version":"6.9.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.10","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.316","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.278","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.219","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.161","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.93","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.33","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.12","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9.3","versionStartIncluding":"2.6.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.10","versionStartIncluding":"2.6.18","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}],"providerMetadata":{"dateUpdated":"2026-05-11T20:19:50.529Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11"},{"url":"https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df"},{"url":"https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8"},{"url":"https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b"},{"url":"https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098"},{"url":"https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb"},{"url":"https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275"},{"url":"https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07"},{"url":"https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913"}],"title":"jffs2: prevent xattr node from overflowing the eraseblock","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-38599","datePublished":"2024-06-19T13:45:47.968Z","dateReserved":"2024-06-18T19:36:34.932Z","dateUpdated":"2026-05-12T11:55:02.555Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-06-19 14:15:19","lastModifiedDate":"2026-05-12 12:16:54","problem_types":["CWE-125"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"4.19.316","matchCriteriaId":"7D419E41-4594-4869-8782-31B5BDBFD2E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.278","matchCriteriaId":"7FDBF235-DA18-49A1-8690-6C7272FD0701"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.219","matchCriteriaId":"E9063AF3-D593-43B7-810D-58B87F82F9F9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.161","matchCriteriaId":"31130639-53FE-4726-8986-434EE2528CB2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.93","matchCriteriaId":"EEFB78EE-F990-4197-BF1C-156760A55667"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.33","matchCriteriaId":"FCE796DF-3B50-4DC6-BAE5-95271068FC9E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8.12","matchCriteriaId":"80550309-67AB-4FD1-AC07-3DED5C4F01B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.9.3","matchCriteriaId":"E07124C1-19E8-4D21-828D-9932A01D3011"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"38599","Ordinal":"1","Title":"jffs2: prevent xattr node from overflowing the eraseblock","CVE":"CVE-2024-38599","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"38599","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","Type":"Description","Title":"jffs2: prevent xattr node from overflowing the eraseblock"}]}}}