CVE-2024-49881

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: A NULL pointer dereference or path memory leak issue has been identified in the Linux kernel. The problem occurs in the ext4 find extent() function when the path is not big enough, and after reallocating and successfully initializing the path, the *orig path is not updated. This can cause the caller to receive a valid path but a NULL ppath, leading to a NULL pointer dereference or a path memory leak. The issue is demonstrated in the ext4 split extent function, where a NULL pointer dereference can occur when trying to access path[depth].p ext.

Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider disabling the ext4 find extent() function until a patch is available. Restrict access to the vulnerable ext4 module to minimize the risk of exploitation. Avoid using the ppath variable in the affected API endpoints until the issue is resolved.