CVE-2024-50246: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50246 is a vulnerability in the Linux kernel's NTFS3 filesystem implementation that was discovered and disclosed on November 9, 2024. The vulnerability specifically affects the attribute allocation size checking mechanism in the fs/ntfs3 component. This issue impacts multiple versions of the Linux kernel, including versions up to 6.6.60 and from version 6.7 up to 6.11.7, as well as specific release candidates 6.12-rc1 and 6.12-rc2 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical issue involves insufficient checking of attribute allocation sizes in the NTFS3 filesystem code, specifically in the fs/ntfs3/record.c file. The fix involves adding a validation check to ensure that the allocation size does not exceed the volume size (NVD, Kernel Patch).

Based on the CVSS metrics, the vulnerability has high potential impact on confidentiality, integrity, and availability of the affected systems. The vulnerability requires local access and low privileges to exploit, but can potentially lead to significant system compromise (NVD).

The vulnerability has been patched in the Linux kernel through a commit that adds a rough attribute allocation size check. The fix has been backported to multiple kernel versions. Users should update to patched kernel versions: beyond 6.6.60 for the 6.6.x series, or beyond 6.11.7 for the 6.11.x series (NVD).