CVE-2024-43828

ext4: fix infinite loop when replaying fast_commit

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: fix infinite loop when replaying fast_commit When doing fast_commit replay an infinite loop may occur due to an uninitialized extent_status struct. ext4_ext_determine_insert_hole() does not detect the replay and calls ext4_es_find_extent_range(), which will return immediately without initializing the 'es' variable. Because 'es' contains garbage, an integer overflow may happen causing an infinite loop in this function, easily reproducible using fstest generic/039. This commit fixes this issue by unconditionally initializing the structure in function ext4_es_find_extent_range(). Thanks to Zhang Yi, for figuring out the real problem!

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/5ed0496e383cb6de120e56991385dce70bbb87c1 patch
https://git.kernel.org/stable/c/0619f7750f2b178a1309808832ab20d85e0ad121 patch
https://git.kernel.org/stable/c/181e63cd595c688194e07332f9944b3a63193de2 patch
https://git.kernel.org/stable/c/c6e67df64783e99a657ef2b8c834ba2bf54c539c patch
https://git.kernel.org/stable/c/81f819c537d29932e4b9267f02411cbc8b355178 patch
https://git.kernel.org/stable/c/907c3fe532253a6ef4eb9c4d67efb71fab58c706 patch

Frequently Asked Questions

What is the severity of CVE-2024-43828?
CVE-2024-43828 has been scored as a medium severity vulnerability.
How to fix CVE-2024-43828?
To fix CVE-2024-43828, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-43828 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-43828 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-43828?
CVE-2024-43828 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.