EUVD-2025-210055
GHSA-4v99-r46p-gx3v
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability occurs due to insufficient validation of extent header fields before performing a binary search over extent index entries, which can result in invalid pointer calculations and an out-of-bounds memory read during extent tree traversal.
AnalysisAI
Out-of-bounds read in lwext4 1.0.0's ext4_ext_binsearch_idx function (src/ext4_extent.c) exposes applications to memory disclosure or process crashes when parsing a specially crafted ext4 filesystem image. Insufficient validation of extent header fields before binary search traversal of the extent index tree allows invalid pointer arithmetic, resulting in reads beyond the allocated buffer boundary. A publicly available exploit exists on GitHub; no CISA KEV listing has been confirmed, but the combination of a network-deliverable attack vector and public POC elevates practical urgency for lwext4 consumers.
Technical ContextAI
lwext4 is a lightweight, portable implementation of the ext4 filesystem commonly embedded in cross-platform and resource-constrained environments. The vulnerable function ext4_ext_binsearch_idx in src/ext4_extent.c implements a binary search over ext4 extent index entries to locate the correct leaf node during extent tree traversal. The ext4 extent header contains fields such as eh_entries that define the valid range of entries; without adequate bounds validation of these header fields before initiating the search, a manipulated filesystem image can cause the binary search to compute pointers outside the allocated extent buffer. CWE-125 (Out-of-bounds Read) characterizes this root cause: the function reads attacker-controlled data beyond the intended buffer boundary, which may expose adjacent memory or trigger a segmentation fault. This class of bug is especially impactful in filesystem parsers because the attacker fully controls the on-disk layout of the malicious image.
RemediationAI
No vendor-released patch has been identified at the time of analysis - no fixed version is confirmed in any available reference. Consumers should actively monitor the upstream GitHub repository at https://github.com/gkostka/lwext4/issues/91 for a patch release. As interim compensating controls: (1) Restrict lwext4-based applications to processing only cryptographically integrity-verified ext4 images from trusted sources, which breaks the attacker-controlled-image delivery path but requires a trusted image pipeline; (2) Sandbox or isolate processes that invoke lwext4 parsing using OS-level mechanisms such as seccomp-bpf filters, Linux namespaces, or containers, which limits the blast radius of a successful out-of-bounds read by restricting what memory is accessible; (3) If direct source modification is feasible, add explicit bounds validation of extent header fields (particularly eh_entries) against the known allocated buffer size before the binary search loop in ext4_ext_binsearch_idx - the upstream issue at https://github.com/gkostka/lwext4/issues/91 provides context for where the check is missing.
Share
External POC / Exploit Code
Leaving vuln.today