CVE-2024-25739 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use the UBI/MTD storage stack should review this issue. Embedded and storage-focused deployments are the most relevant audience because the vulnerable code is in the UBI volume table path.

Technical summary

The CVE record states that create_empty_lvol in drivers/mtd/ubi/vtbl.c can attempt to allocate zero bytes because ubi->leb_size is not checked. The resulting failure mode is a crash, so the primary impact is availability rather than confidentiality or integrity. NVD classifies the issue as CVSS 3.1 5.5 MEDIUM with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-754.

Defensive priority

Medium priority. The issue is a local availability problem in kernel code, but it affects core storage functionality and can crash the system when the vulnerable path is reached.

Recommended defensive actions

• Apply the upstream or stable Linux kernel fix referenced in the CVE record.
• Prioritize upgrades on systems that use UBI/MTD, especially embedded or appliance-style deployments.
• Review downstream vendor advisories and backport status for affected kernel branches.
• Validate that your deployed kernel is newer than the vulnerable range ending at 6.7.4.
• Monitor for unexpected kernel crashes in environments that exercise UBI volume creation paths.

Evidence notes

This debrief is based on the CVE description and the official references listed in the record, including the upstream Linux commit, a stable branch commit, a syzkaller discussion, Debian LTS notices, a kernel mailing list post, and a Siemens CERT advisory. No exploit method or unsupported impact claims are included.

Official resources