CVE-2024-35807: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.
AI Analysis
Technical Summary
CVE-2024-35807 is a vulnerability in the Linux kernel's ext4 filesystem implementation related to on-line resizing of large ext4 filesystems. Specifically, the issue arises when performing an on-line resize operation on ext4 filesystems larger than 16 TiB with a 4k block size, where the resize_inode feature is disabled (which is the default for filesystems with more than 2^32 blocks). The vulnerability manifests as filesystem corruption during the resize process. The root cause is a logic error in the ext4_flex_group_add function, which incorrectly adds block groups that are not part of the first meta block group when converting the filesystem to use the meta block group (meta_bg) feature starting at a certain block group index (s_first_meta_bg). This leads to improper updates of backup block group descriptors, causing corruption at specific physical block locations that store metadata backups. The corruption can be reliably reproduced by creating a filesystem with resize_inode disabled, writing data, performing an on-line resize across an 8 GiB boundary (the size of a meta block group), and then verifying that the data checksum changes, indicating corruption. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix. The fix involves adding a check to ensure that only block groups belonging to the meta block group are added during the resize operation, preserving the integrity of metadata backups. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for enterprises and data centers relying on large-scale Linux servers with ext4 filesystems exceeding 16 TiB. The corruption caused by on-line resizing can lead to data loss or filesystem instability, potentially disrupting critical services, applications, and data availability. Organizations performing dynamic storage resizing to accommodate growing data needs may inadvertently trigger this corruption, resulting in operational downtime and costly recovery efforts. Since ext4 is widely used in many Linux distributions common in Europe, including servers in cloud infrastructure, telecommunications, and enterprise environments, the risk is non-trivial. Although exploitation does not appear to be remotely triggered or automated, the vulnerability poses a threat during routine maintenance or scaling operations. Data integrity and availability are primarily affected, with potential secondary impacts on confidentiality if corrupted data leads to system crashes or fallback to less secure states. The absence of known exploits reduces immediate risk, but the complexity of the issue means that unnoticed corruption could silently affect systems over time.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Immediately update Linux kernels to versions containing the patch that fixes CVE-2024-35807 once available from their Linux distribution vendors. 2) Avoid performing on-line resizing operations on ext4 filesystems larger than 16 TiB with resize_inode disabled until patched. 3) If resizing is necessary, consider disabling on-line resize and performing offline resize operations with full backups in place. 4) Implement rigorous filesystem integrity checks (e.g., e2fsck) before and after resize operations to detect corruption early. 5) Maintain comprehensive backups of critical data and metadata to enable recovery in case of corruption. 6) Monitor kernel update advisories and filesystem-related bug reports closely. 7) For environments using custom or older kernels, backport the patch or apply vendor-provided fixes promptly. 8) Educate system administrators about the risks of on-line resizing on large ext4 filesystems and enforce change management controls around such operations. These measures go beyond generic advice by focusing on operational practices around resizing and filesystem integrity verification specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35807: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.
AI-Powered Analysis
Technical Analysis
CVE-2024-35807 is a vulnerability in the Linux kernel's ext4 filesystem implementation related to on-line resizing of large ext4 filesystems. Specifically, the issue arises when performing an on-line resize operation on ext4 filesystems larger than 16 TiB with a 4k block size, where the resize_inode feature is disabled (which is the default for filesystems with more than 2^32 blocks). The vulnerability manifests as filesystem corruption during the resize process. The root cause is a logic error in the ext4_flex_group_add function, which incorrectly adds block groups that are not part of the first meta block group when converting the filesystem to use the meta block group (meta_bg) feature starting at a certain block group index (s_first_meta_bg). This leads to improper updates of backup block group descriptors, causing corruption at specific physical block locations that store metadata backups. The corruption can be reliably reproduced by creating a filesystem with resize_inode disabled, writing data, performing an on-line resize across an 8 GiB boundary (the size of a meta block group), and then verifying that the data checksum changes, indicating corruption. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix. The fix involves adding a check to ensure that only block groups belonging to the meta block group are added during the resize operation, preserving the integrity of metadata backups. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for enterprises and data centers relying on large-scale Linux servers with ext4 filesystems exceeding 16 TiB. The corruption caused by on-line resizing can lead to data loss or filesystem instability, potentially disrupting critical services, applications, and data availability. Organizations performing dynamic storage resizing to accommodate growing data needs may inadvertently trigger this corruption, resulting in operational downtime and costly recovery efforts. Since ext4 is widely used in many Linux distributions common in Europe, including servers in cloud infrastructure, telecommunications, and enterprise environments, the risk is non-trivial. Although exploitation does not appear to be remotely triggered or automated, the vulnerability poses a threat during routine maintenance or scaling operations. Data integrity and availability are primarily affected, with potential secondary impacts on confidentiality if corrupted data leads to system crashes or fallback to less secure states. The absence of known exploits reduces immediate risk, but the complexity of the issue means that unnoticed corruption could silently affect systems over time.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Immediately update Linux kernels to versions containing the patch that fixes CVE-2024-35807 once available from their Linux distribution vendors. 2) Avoid performing on-line resizing operations on ext4 filesystems larger than 16 TiB with resize_inode disabled until patched. 3) If resizing is necessary, consider disabling on-line resize and performing offline resize operations with full backups in place. 4) Implement rigorous filesystem integrity checks (e.g., e2fsck) before and after resize operations to detect corruption early. 5) Maintain comprehensive backups of critical data and metadata to enable recovery in case of corruption. 6) Monitor kernel update advisories and filesystem-related bug reports closely. 7) For environments using custom or older kernels, backport the patch or apply vendor-provided fixes promptly. 8) Educate system administrators about the risks of on-line resizing on large ext4 filesystems and enforce change management controls around such operations. These measures go beyond generic advice by focusing on operational practices around resizing and filesystem integrity verification specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.342Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3512
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:09:57 PM
Last updated: 8/17/2025, 7:56:06 AM
Views: 11
Related Threats
CVE-2025-9170: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumCVE-2025-8364: Address bar spoofing using an blob URI on Firefox for Android in Mozilla Firefox
HighCVE-2025-8042: Sandboxed iframe could start downloads in Mozilla Firefox
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.