CVE-2024-57850: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57850 addresses a vulnerability in the Linux kernel's JFFS2 filesystem component, specifically in the rtime decompression routine. The vulnerability was discovered and disclosed on January 11, 2025. The issue affects multiple versions of the Linux kernel, including versions from 5.11 through 6.12.5 (NVD).

The vulnerability stems from incomplete bounds checking during the rtime decompression process in the JFFS2 filesystem. The rtime decompression routine fails to fully verify bounds throughout the entire decompression pass, which can lead to memory corruption outside the decompression buffer when processing corrupted compressed data. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

When exploited, this vulnerability can cause memory corruption outside the designated decompression buffer, potentially leading to system instability or unauthorized access to memory regions. The high CVSS score reflects the potential for significant impact on system confidentiality, integrity, and availability when the vulnerability is successfully exploited (NVD).

A patch has been developed and committed to the Linux kernel that adds the required boundary checks to prevent memory corruption. The fix involves adding validation to ensure the decompression operation stays within the intended buffer limits. The patch has been backported to multiple kernel versions and is available through various distribution security updates (Kernel Patch).