CVE-2024-26590: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26590 affects the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. The vulnerability was discovered in the per-file compression format handling, where EROFS can select compression algorithms on a per-file basis. The issue was disclosed on February 22, 2024, affecting Linux kernel versions from 5.16.0 up to (excluding) 6.6.14 and from 6.7.0 up to (excluding) 6.7.2 (NVD).

The vulnerability stems from inconsistent crafted images that can use an unsupported algorithm type for specific inodes. For example, using MicroLZMA algorithm type even when it's not set in sbi->available_compr_algs. This inconsistency can lead to a NULL pointer dereference if the corresponding decompressor isn't built-in. The CVSS v3.1 base score is 5.5 (Medium), with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to a kernel NULL pointer dereference, potentially resulting in a system crash or denial of service condition. The impact is limited to availability with no direct effects on confidentiality or integrity (NVD).

The vulnerability has been patched by adding checks against sbi->available_compr_algs for each m_algorithmformat request. The fix also corrects the incorrect !erofs_sb_has_compr_cfgs preset bitmap. Users should update to Linux kernel versions 6.6.14, 6.7.2 or later that contain the fix (Kernel Patch).