CVE-2024-46744: Squashfs: sanity check symbolic link size
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: sanity check symbolic link size
Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
This is caused by an uninitialised page, which is ultimately caused
by a corrupted symbolic link size read from disk.
The reason why the corrupted symlink size causes an uninitialised
page is due to the following sequence of events:
1. squashfs_read_inode() is called to read the symbolic
link from disk. This assigns the corrupted value
3875536935 to inode->i_size.
2. Later squashfs_symlink_read_folio() is called, which assigns
this corrupted value to the length variable, which being a
signed int, overflows producing a negative number.
3. The following loop that fills in the page contents checks that
the copied bytes is less than length, which being negative means
the loop is skipped, producing an uninitialised page.
This patch adds a sanity check which checks that the symbolic
link size is not larger than expected.
--
V2: fix spelling mistake.
Security readout for executives and security teams
Plain-English summary
CVE-2024-46744 is a Linux kernel Squashfs bug where a corrupted symbolic-link size read from disk can lead the kernel to use uninitialized page data. Business risk is mainly where Linux systems process untrusted or externally supplied Squashfs images.
Executive priority
Treat this as a scheduled kernel maintenance item unless your environment processes untrusted Squashfs images. Prioritize embedded, appliance, recovery-media, and image-processing workflows where malformed filesystem images may cross trust boundaries.
Technical view
The Squashfs symlink reader accepted an oversized symlink length from disk. That value could overflow when stored as a signed integer, skip page population, and leave an uninitialized page later observed in pick_link. Kernel stable commits add a sanity check for symlink size.
Likely exposure
Exposure is most likely on Linux systems running affected kernel versions and mounting or processing Squashfs filesystems. Debian LTS and Siemens advisories indicate downstream vendors tracked related kernel updates, so appliances and embedded Linux estates should verify vendor status.
Exploitation context
The bundle does not show active exploitation, and KEV is false. The reported evidence comes from Syzkaller-style kernel testing. Practical abuse would require a vulnerable kernel to encounter a corrupted Squashfs image with invalid symlink metadata.
Researcher notes
No CVSS, CWE, or exploit confirmation is provided in the bundle. The root cause is validation failure on Squashfs symlink length, producing signed overflow behavior and an uninitialized page. Focus validation on kernel branch fixes and downstream vendor backports.
Mitigation direction
Update to a kernel build containing the referenced stable Squashfs fix.
Apply Debian LTS or vendor kernel advisories where applicable.
Check Siemens product advisories if using affected Siemens platforms.
Restrict mounting or processing untrusted Squashfs images until patched.
Follow distribution guidance for reboot requirements after kernel updates.
Validation and detection
Inventory Linux kernel versions against the CVE affected version list.
Confirm deployed kernels include the referenced Squashfs symlink-size sanity check.
Review whether systems mount Squashfs images from untrusted sources.
Check Debian LTS and vendor advisories for package-level fixed versions.
Verify patched systems have rebooted into the updated kernel.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46744 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.