CVE-2009-0745
Description
The ext4_group_add function in the Linux kernel does not properly initialize group descriptors during resize operations, allowing local users to cause a denial of service (OOPS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The ext4_group_add function in the Linux kernel does not properly initialize group descriptors during resize operations, allowing local users to cause a denial of service (OOPS).
Vulnerability
The ext4_group_add function in fs/ext4/resize.c in the Linux kernel versions 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation [1][4]. This flaw occurs when crafted values are present in available memory, which are then used without proper initialization, leading to a kernel OOPS [1][4].
Exploitation
A local user with the ability to trigger a filesystem resize operation (resize2fs) on an ext4 filesystem can exploit this vulnerability [1][4]. The attacker must arrange for crafted values to be present in memory that is used to form the group descriptor during the resize process [1][4]. No special privileges beyond local access to the system are required to initiate the resize operation.
Impact
Successful exploitation allows a local attacker to cause a kernel OOPS, resulting in a denial of service (DoS) condition [1][4]. The system may crash or become unstable, impacting availability. There is no indication of privilege escalation or data corruption in the available references [1][4].
Mitigation
Red Hat Enterprise Linux addressed this vulnerability in RHSA-2009-1243 [1]. Ubuntu addressed it in USN-751-1 [3]. VMware also included a fix in ESX update releases as part of VMSA-2009-0016 [2]. Users should apply the latest kernel updates from their respective vendors [1][2][3]. If an update is not immediately available, avoid performing ext4 resize operations on untrusted systems as a workaround [1][4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27cpe:2.3:o:linux:linux_kernel:2.6.27:*:*:*:*:*:*:*+ 25 more
- cpe:2.3:o:linux:linux_kernel:2.6.27:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.11:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.13:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.14:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.15:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.16:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.17:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.18:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.27.9:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.28.6:*:*:*:*:*:*:*
- Range: >= 2.6.27, < 2.6.27.19; >= 2.6.28, < 2.6.28.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- www.vupen.com/english/advisories/2009/0509nvdVendor Advisory
- bugzilla.kernel.org/show_bug.cginvd
- git.kernel.orgnvd
- kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.19nvd
- kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.7nvd
- rhn.redhat.com/errata/RHSA-2009-1243.htmlnvd
- secunia.com/advisories/34394nvd
- secunia.com/advisories/34981nvd
- secunia.com/advisories/36562nvd
- secunia.com/advisories/37471nvd
- www.debian.org/security/2009/dsa-1749nvd
- www.debian.org/security/2009/dsa-1787nvd
- www.securityfocus.com/archive/1/507985/100/0/threadednvd
- www.ubuntu.com/usn/usn-751-1nvd
- www.vmware.com/security/advisories/VMSA-2009-0016.htmlnvd
- www.vupen.com/english/advisories/2009/3316nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10942nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7765nvd
News mentions
0No linked articles in our index yet.