CVE-2024-26704

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26704
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26704.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26704
Downstream
Related
Published
2024-04-03T14:55:02.672Z
Modified
2025-11-27T19:35:25.244486Z
Summary
ext4: fix double-free of blocks due to wrong extents moved_len
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix double-free of blocks due to wrong extents moved_len

In ext4moveextents(), movedlen is only updated when all moves are successfully executed, and only discards originode and donorinode preallocations when movedlen is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations.

If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4mbreleaseinodepa() and ext4processfreeddata() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4IOCMOVEEXT")), and bbfree is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mbupdateavgfragmentsize() because bbfree is not zero and bb_fragments is zero.

Therefore, update move_len after each extent move to avoid the issue.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/ee626f5d79d5817bb21d6f048dc0da4c4e383443/cves/2024/26xxx/CVE-2024-26704.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
b4fbb89d722cbb16beaaea234b7230faaaf68c71
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
afbcad9ae7d6d11608399188f03a837451b6b3a1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
d033a555d9a1cf53dbf3301af7199cc4a4c8f537
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
afba9d11320dad5ce222ac8964caf64b7b4bedb1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
2883940b19c38d5884c8626483811acf4d7e148f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
559ddacb90da1d8786dd8ec4fd76bbfa404eaef6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a
Fixed
55583e899a5357308274601364741a83e78d6ac4

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.18.0
Fixed
4.19.307
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.269
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.210
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.149
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.79
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.18
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.6