CVE-2024-46744 Overview
CVE-2024-46744 is a vulnerability in the Linux kernel's Squashfs filesystem implementation that affects the handling of symbolic link sizes. The vulnerability was discovered through Syzkaller, a kernel fuzzing tool, which reported a "KMSAN: uninit-value in pick_link" bug. This issue arises from inadequate sanity checking of symbolic link sizes read from disk, allowing corrupted values to trigger uninitialized memory access.
The vulnerability occurs when a maliciously crafted or corrupted Squashfs filesystem image contains a symbolic link with an invalid size value. When the kernel processes this symbolic link, the corrupted size value causes integer overflow, leading to uninitialized page access which could potentially be exploited for information disclosure or privilege escalation.
Critical Impact
A local attacker with access to mount Squashfs filesystems could exploit this vulnerability to access uninitialized kernel memory, potentially leading to privilege escalation or information disclosure on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.11 RC1, RC2, and RC3
- Debian Linux (see LTS announcements)
Discovery Timeline
- September 18, 2024 - CVE-2024-46744 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-46744
Vulnerability Analysis
This vulnerability stems from a lack of input validation in the Squashfs filesystem driver when processing symbolic link inodes. The flaw allows a corrupted symbolic link size value read from disk to propagate through the kernel's file handling code without proper bounds checking.
When squashfs_read_inode() reads a symbolic link from disk, it assigns the raw size value directly to inode->i_size. In the observed case, a corrupted value of 3875536935 was assigned. Subsequently, when squashfs_symlink_read_folio() processes this inode, it assigns the size to a signed integer length variable. This causes integer overflow, converting the large positive value to a negative number.
The loop responsible for filling page contents checks whether copied bytes are less than the length value. Since the length is now negative, this comparison always fails, causing the loop to be skipped entirely. The result is an uninitialized page being returned to user space, creating an information disclosure vector.
Root Cause
The root cause is missing input validation (CWE-59: Improper Link Resolution Before File Access) in the Squashfs symbolic link handling code. The kernel trusted the symbolic link size value read from the filesystem image without verifying it against expected bounds. This allowed malformed filesystem images to inject arbitrary size values that trigger the integer overflow condition.
The fix adds a sanity check to verify that the symbolic link size does not exceed expected maximum values before processing, preventing the overflow condition.
Attack Vector
Exploitation requires local access to the system with the ability to mount Squashfs filesystem images. An attacker could craft a malicious Squashfs image containing a symbolic link with a corrupted size value exceeding the maximum signed integer value. When a user or system process mounts this image and attempts to follow the symbolic link, the vulnerability is triggered.
The attack flow proceeds as follows:
- Attacker creates a malicious Squashfs image with a corrupted symlink size
- The image is mounted on the target system
- A process attempts to read or follow the malicious symbolic link
- The kernel processes the corrupted size value in squashfs_read_inode()
- Integer overflow occurs in squashfs_symlink_read_folio()
- Uninitialized kernel memory is exposed through the uninitalized page
Detection Methods for CVE-2024-46744
Indicators of Compromise
- Kernel log messages containing "KMSAN: uninit-value in pick_link" errors
- Unexpected behavior when accessing Squashfs-mounted filesystems
- System instability or crashes when mounting untrusted Squashfs images
- Kernel oops or panic messages referencing Squashfs symlink handling functions
Detection Strategies
- Monitor kernel logs for KMSAN warnings related to pick_link or Squashfs operations
- Implement file integrity monitoring on systems that frequently mount Squashfs images
- Use kernel live patching detection to verify the vulnerability has been addressed
- Deploy endpoint detection rules for anomalous Squashfs mount operations from untrusted sources
Monitoring Recommendations
- Enable kernel auditing for mount operations involving Squashfs filesystems
- Monitor for attempts to mount Squashfs images from non-standard locations
- Implement anomaly detection for processes accessing symbolic links on recently mounted filesystems
- Track kernel version information across endpoints to identify unpatched systems
How to Mitigate CVE-2024-46744
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the sanity check fix
- Restrict unprivileged user access to mount Squashfs filesystems
- Audit systems for any untrusted or externally-sourced Squashfs images
- Consider disabling Squashfs support on systems where it is not required
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix adds validation logic to check that the symbolic link size read from disk does not exceed the expected maximum before processing.
Official patches are available through the kernel Git repository:
- Kernel Git Commit 087f25b2d36a
- Kernel Git Commit 1b9451ba6f21
- Kernel Git Commit 5c8906de98d0
- Kernel Git Commit 810ee43d9cd2
Debian users should consult the Debian LTS Security Announcements for distribution-specific updates.
Workarounds
- Disable the Squashfs kernel module if not required: modprobe -r squashfs
- Use SELinux or AppArmor policies to restrict Squashfs mount capabilities to trusted processes only
- Implement mount namespace isolation to limit the impact of mounting untrusted filesystem images
- Block mounting of Squashfs images from untrusted sources at the organizational policy level
# Disable Squashfs module loading
echo "install squashfs /bin/true" >> /etc/modprobe.d/disable-squashfs.conf
# Blacklist Squashfs to prevent automatic loading
echo "blacklist squashfs" >> /etc/modprobe.d/blacklist-squashfs.conf
# Remove currently loaded Squashfs module (if possible)
modprobe -r squashfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
