CVE-2024-26601: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26601 affects the Linux kernel's ext4 filesystem implementation. The vulnerability was discovered in early 2024 and involves a bug in the block freeing mechanism during fast commit replay. The issue affects Linux kernel versions up to 5.10.211, 5.11.0 to 5.15.150, 5.16.0 to 6.1.78, 6.2.0 to 6.6.17, and 6.7.0 to 6.7.5 (NVD).

The vulnerability stems from a regression introduced by commit 6bd97bf273bd which removed the mb_regenerate_buddy() function. During fast commit replay, the mb_free_blocks() function can mark blocks as free that are already marked as such, leading to corruption of the buddy bitmap. The issue has a CVSS v3.1 Base Score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability can result in corruption of the ext4 filesystem's buddy bitmap, which is used for block allocation management. This corruption could lead to filesystem inconsistencies and potential system instability (Kernel Patch).

The issue has been fixed by reintroducing the mb_regenerate_buddy() function and adding proper handling of buddy bitmap regeneration when block freeing fails during fast commit replay. The fix has been backported to multiple stable kernel versions. Users should update to patched kernel versions (Kernel Patch).