Skip to main content

lwext4 EUVD-2025-210054

| CVE-2025-70100 MEDIUM
Divide By Zero (CWE-369)
2026-06-03 cve@mitre.org GHSA-43cg-f93f-9jhx
Denial Of Service Lwext4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 19:23 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 03, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.

AnalysisAI

Divide-by-zero in lwext4 1.0.0's ext4_block_set_lb_size function (src/ext4_blockdev.c) crashes any application that mounts or processes a crafted ext4 filesystem image with a zero logical block size. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms the impact is limited to availability - no code execution or data exposure - but the crash is reliable and reproducible. Publicly available exploit code exists demonstrating the issue; no active exploitation has been confirmed by CISA KEV.

Technical ContextAI

lwext4 is a lightweight, portable C library implementing ext2/ext3/ext4 filesystem support, commonly embedded in firmware, bootloaders, and system utilities that need to read or write ext4 images without a full OS kernel. The vulnerable function ext4_block_set_lb_size in src/ext4_blockdev.c at approximately line 127 performs arithmetic using the logical block size (lb_size) field parsed from the filesystem image without first validating that the value is non-zero. CWE-369 (Divide By Zero) describes this class of missing-validation defects precisely: the program divides or modulos by a value that can be zero under attacker-controlled input. Under memory-safe builds with sanitizers (ASan/UBSan), the fault surfaces as a Floating-Point Exception (SIGFPE); in standard release builds without sanitizers, the behavior is an unhandled runtime crash. Because the vulnerability is triggered during mount or image-open operations, any code path that calls the library to attach an untrusted image is exposed.

RemediationAI

No vendor-released patch has been identified at time of analysis. The upstream bug report is tracked at https://github.com/gkostka/lwext4/issues/90, but no patched release tag or merged fix commit is referenced in the available data. Developers using lwext4 should apply a local patch that validates lb_size is non-zero before any division operation in ext4_block_set_lb_size (src/ext4_blockdev.c, ~line 127) and returns an appropriate error code if the value is zero. As a compensating control, applications should reject or sandbox ext4 images from untrusted sources before passing them to the library - this eliminates the attack surface without modifying the library. Enabling UBSan in development and CI builds will surface further similar issues. Monitor the upstream GitHub repository for a maintainer fix.

Share

EUVD-2025-210054 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy