Reachable assertion in Linux kernel overlayfs
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-27069 |
| CWE-ID | CWE-617 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Reachable assertion
EUVDB-ID: #VU90908
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-27069
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to reachable assertion within the ovl_verify_area() function in fs/overlayfs/copy_up.c. A local user can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsLinux kernel: 6.8 - 6.8.1
CPE2.3- cpe:2.3:o:linux_foundation:linux_kernel:6.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.8:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.8:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.8:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.8.1:*:*:*:*:*:*:*
https://git.kernel.org/stable/c/c3c85aefc0da1e5074a06c682542a54ccc99bdca
https://git.kernel.org/stable/c/77a28aa476873048024ad56daf8f4f17d58ee48e
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.8.2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
