{"api_version":"1","generated_at":"2026-05-13T02:11:01+00:00","cve":"CVE-2024-35807","urls":{"html":"https://cve.report/CVE-2024-35807","api":"https://cve.report/api/cve/CVE-2024-35807.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-35807","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-35807"},"summary":{"title":"ext4: fix corruption during on-line resize","description":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n  dev=/dev/<some_dev> # should be >= 16 GiB\n  mkdir -p /corruption\n  /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n  mount -t ext4 $dev /corruption\n\n  dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n  sha1sum /corruption/test\n  # 79d2658b39dcfd77274e435b0934028adafaab11  /corruption/test\n\n  /sbin/resize2fs $dev $((2*2**21))\n  # drop page cache to force reload the block from disk\n  echo 1 > /proc/sys/vm/drop_caches\n\n  sha1sum /corruption/test\n  # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3  /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.","state":"PUBLISHED","assigner":"Linux","published_at":"2024-05-17 14:15:14","updated_at":"2026-05-12 12:16:36"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-398330.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-398330.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a","name":"https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5","name":"https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c","name":"https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1","name":"https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc","name":"https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df","name":"https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd","name":"https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c","name":"https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6","name":"https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-35807","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35807","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 75cc31c2e7193b69f5d25650bda5bb42ed92f8a1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 ee4e9c1976147a850f6085a13fca95bcaa00d84c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 e8e8b197317228b5089ed9e7802dadf3ccaa027a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 239c669edb2bffa1aa2612519b1d438ab35d6be6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 fb1088d51bbaa0faec5a55d4f5818a9ab79e24df git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 37b6a3ba793bbbae057f5b991970ebcc52cb3db5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 b461910af8ba3bed80f48c2bf852686d05c6fc5c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 722d2c01b8b108f8283d1b7222209d5b2a5aa7bd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.312 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.274 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.215 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.154 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.84 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.24 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7.12 6.7.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.3 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"35807","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-35807","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-06-12T15:25:51.499528Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-12T15:26:07.895Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-02T03:21:47.537Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:52:08.068Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-398330.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/resize.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"75cc31c2e7193b69f5d25650bda5bb42ed92f8a1","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"ee4e9c1976147a850f6085a13fca95bcaa00d84c","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"e8e8b197317228b5089ed9e7802dadf3ccaa027a","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"239c669edb2bffa1aa2612519b1d438ab35d6be6","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"fb1088d51bbaa0faec5a55d4f5818a9ab79e24df","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"37b6a3ba793bbbae057f5b991970ebcc52cb3db5","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"b461910af8ba3bed80f48c2bf852686d05c6fc5c","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"722d2c01b8b108f8283d1b7222209d5b2a5aa7bd","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"},{"lessThan":"a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc","status":"affected","version":"01f795f9e0d67adeccc61a8b20c28acb45fa5fd8","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/ext4/resize.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.7"},{"lessThan":"3.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.312","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.274","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.215","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.154","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.84","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.24","versionType":"semver"},{"lessThanOrEqual":"6.7.*","status":"unaffected","version":"6.7.12","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.9","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.312","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.274","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.215","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.154","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.84","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.24","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.7.12","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.3","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9","versionStartIncluding":"3.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n  dev=/dev/<some_dev> # should be >= 16 GiB\n  mkdir -p /corruption\n  /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n  mount -t ext4 $dev /corruption\n\n  dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n  sha1sum /corruption/test\n  # 79d2658b39dcfd77274e435b0934028adafaab11  /corruption/test\n\n  /sbin/resize2fs $dev $((2*2**21))\n  # drop page cache to force reload the block from disk\n  echo 1 > /proc/sys/vm/drop_caches\n\n  sha1sum /corruption/test\n  # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3  /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not."}],"providerMetadata":{"dateUpdated":"2026-05-11T20:11:24.344Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1"},{"url":"https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c"},{"url":"https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a"},{"url":"https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6"},{"url":"https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df"},{"url":"https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5"},{"url":"https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c"},{"url":"https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd"},{"url":"https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc"}],"title":"ext4: fix corruption during on-line resize","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-35807","datePublished":"2024-05-17T13:23:14.869Z","dateReserved":"2024-05-17T12:19:12.342Z","dateUpdated":"2026-05-12T11:52:08.068Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-05-17 14:15:14","lastModifiedDate":"2026-05-12 12:16:36","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"4.19.312","matchCriteriaId":"48A978A1-082D-4FD8-B0A8-15D857F7935B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.274","matchCriteriaId":"F45A0F3C-C16D-49C4-86D6-D021C3D4B834"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.215","matchCriteriaId":"9CD5894E-58E9-4B4A-B0F4-3E6BC134B8F5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.154","matchCriteriaId":"577E212E-7E95-4A71-9B5C-F1D1A3AFFF46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.84","matchCriteriaId":"834D9BD5-42A6-4D74-979E-4D6D93F630FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.24","matchCriteriaId":"8018C1D0-0A5F-48D0-BC72-A2B33FDDA693"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.12","matchCriteriaId":"6BE9771A-BAFD-4624-95F9-58D536540C53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.3","matchCriteriaId":"4C59BBC3-6495-4A77-9C82-55EC7CDF5E02"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"35807","Ordinal":"1","Title":"ext4: fix corruption during on-line resize","CVE":"CVE-2024-35807","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"35807","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n  dev=/dev/<some_dev> # should be >= 16 GiB\n  mkdir -p /corruption\n  /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n  mount -t ext4 $dev /corruption\n\n  dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n  sha1sum /corruption/test\n  # 79d2658b39dcfd77274e435b0934028adafaab11  /corruption/test\n\n  /sbin/resize2fs $dev $((2*2**21))\n  # drop page cache to force reload the block from disk\n  echo 1 > /proc/sys/vm/drop_caches\n\n  sha1sum /corruption/test\n  # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3  /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.","Type":"Description","Title":"ext4: fix corruption during on-line resize"}]}}}