LiveActive security incident?Get immediate response
CVE Record

CVE-2024-38599: jffs2: prevent xattr node from overflowing the eraseblock

In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel JFFS2 filesystem bug. A too-large extended attribute can cross a flash eraseblock boundary, corrupting filesystem data and triggering kernel memory-safety crashes. The public sources do not provide a CVSS score or evidence of active exploitation.

Executive priority

Treat as a targeted kernel reliability and availability risk, not a broad internet-facing emergency. Patch during the next kernel maintenance window, faster for products or systems that expose writable JFFS2 storage to users or tenants.

Technical view

JFFS2 xattr nodes are not split across eraseblocks. Missing size validation allowed an xattr node larger than the eraseblock minus cleanmarker, causing overwrite of adjacent nodes, CRC failures, filesystem breakage, and KASAN slab-out-of-bounds crashes. Stable Linux fixes add a bounds check.

Likely exposure

Exposure is most likely on Linux systems that mount JFFS2 filesystems and allow creation or modification of extended attributes. JFFS2 is flash-oriented; validate appliances, embedded Linux images, recovery partitions, and any Linux hosts using JFFS2.

Exploitation context

The bundle cites Syzkaller discovery and kernel crash output, but no KEV listing and no cited active exploitation. Practical impact appears to require access capable of setting large xattrs on a JFFS2 filesystem.

Researcher notes

The key boundary is xattr node length versus eraseblock size minus cleanmarker. Sources describe corruption and KASAN out-of-bounds reads after malformed oversized xattr storage. They do not establish privilege escalation, remote reachability, or exploit availability.

Mitigation direction

  • Upgrade to a Linux kernel build containing the referenced stable fixes.
  • Prioritize systems that mount JFFS2 filesystems with writable extended attributes.
  • Check Debian LTS and vendor advisories for packaged kernel updates.
  • Restrict untrusted write access to JFFS2 filesystems where patching is delayed.

Validation and detection

  • Inventory systems for mounted JFFS2 filesystems and kernel versions.
  • Map deployed kernels against vendor-fixed package versions or stable commit inclusion.
  • Review kernel logs for JFFS2 CRC failures, wrong-place nodes, or KASAN reports.
  • Confirm xattr usage and write access on any JFFS2-backed paths.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-38599 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
12Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxaa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2fe, aa98d7cf59b5b0764d3502662053489585faf2feunaffected
LinuxLinux2.6.18, 0, 4.19.316, 5.4.278, 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.8.12, 6.9.3, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.