CVE-2024-57254

Published Feb 18, 2025

Last updated 6 months ago

CVSS high 7.1
Ubuntu

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-57254 is an integer overflow vulnerability found in Das U-Boot (Universal Boot Loader) prior to version 2025.01-rc1. The vulnerability exists in the `sqfs_inode_size` function during the calculation of symlink size. Specifically, it can be triggered by a specially crafted SquashFS filesystem, potentially leading to further vulnerabilities, especially if the size calculation is used for resource management or execution control. Das U-Boot is a widely used boot loader in embedded systems, often used to initialize hardware and load the operating system. A SquashFS filesystem is a compressed read-only filesystem commonly used in embedded systems due to its small size. Exploiting this vulnerability requires local access. Upgrading to Das U-Boot version 2025.01-rc1 or later mitigates this vulnerability.

Description
An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem.
Source
cve@mitre.org
NVD status
Modified
Products
u-boot

Risk scores

CVSS 3.1

Type
Primary
Base score
6.8
Impact score
5.9
Exploitability score
0.9
Vector string
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-190

Social media

Hype score
Not currently trending

  1. CVE-2024-57254 An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://t.co/LwxkB4lw6K

    @CVEnew

    18 Feb 2025

    467 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. New post from https://t.co/uXvPWJy6tj (CVE-2024-57254 | DENEX U-Boot prior 2025.01-rc1 SquashFS Symlink Size Calculation integer overflow) has been published on https://t.co/yeKpfxeKSC

    @WolfgangSesin

    18 Feb 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. U-Boot vulnerabilities https://t.co/T90biu2d32 CVE-2024-57254: Integer overflow in SquashFS symlink size calculation function CVE-2024-57255: Integer overflow in SquashFS symlink resolution function CVE-2024-57256: Integer overflow in ext4 symlink resolution function + next tweet

    @oss_security

    17 Feb 2025

    2805 Impressions

    6 Retweets

    20 Likes

    11 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.CVE-2026-41651
  2. A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.CVE-2026-1584
  3. In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.CVE-2026-35535
  4. In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.CVE-2026-23410
  5. In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.CVE-2026-23411

References

Sources include official advisories and independent security research.