Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector and required user interaction (run tool on crafted image); no privileges needed; crash-only impact with no confidentiality or integrity effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NILFS utilities through 2.3.0, fixed in commit 26efb5d, nilfs_sb_is_valid() function fails to validate s_log_block_size field in NILFS2 superblock before bit-shift operations. Attackers supplying crafted NILFS2 images trigger undefined behavior through oversized shifts or out-of-memory conditions, crashing tools like nilfs-tune and dumpseg.
AnalysisAI
NILFS utilities (nilfs-utils) through version 2.3.0 crash when processing crafted NILFS2 filesystem images due to missing bounds validation on the s_log_block_size superblock field before performing bit-shift operations. Tools including nilfs-tune and dumpseg are affected: an attacker who can persuade a user to process a malicious image can trigger undefined behavior - either oversized shift operations or out-of-memory conditions - resulting in a denial of service via tool crash. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a user to actively run a NILFS utility (specifically nilfs-tune or dumpseg) against an attacker-controlled NILFS2 filesystem image containing a crafted superblock with s_log_block_size set to a value greater than 6. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.7 is appropriate and well-supported by the vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a NILFS2 filesystem image containing a superblock with an s_log_block_size value far exceeding the valid maximum of 6 and delivers it to a target through a phishing email, file share, or malicious download. When the victim runs nilfs-tune or dumpseg against the image - for instance, during a forensic investigation, filesystem audit, or routine administration task - the unvalidated field is used in a bit-shift or allocation calculation, triggering undefined behavior that crashes the tool. … |
| Remediation | Apply the upstream fix available at commit 26efb5daff0757365101035145331b0a5a85d9d9 (https://github.com/nilfs-dev/nilfs-utils/commit/26efb5daff0757365101035145331b0a5a85d9d9), which adds a one-line bounds check - rejecting any superblock where s_log_block_size exceeds 6 - to nilfs_sb_is_valid() in lib/sb.c. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37927
GHSA-f559-vgh2-9hj6