CVE-2025-70101
Description
lwext4 library's ext4_ext_binsearch_idx function has an out-of-bounds read vulnerability due to insufficient validation of extent header fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
lwext4 library's ext4_ext_binsearch_idx function has an out-of-bounds read vulnerability due to insufficient validation of extent header fields.
Vulnerability
An out-of-bounds read vulnerability exists in the ext4_ext_binsearch_idx function within src/ext4_extent.c of the lwext4 library, specifically affecting version 1.0.0. The issue arises from a failure to validate the eh_entries field of extent headers when the header depth (eh_depth) is greater than zero. This can lead to invalid pointer calculations and subsequent out-of-bounds memory reads during extent tree traversal [1].
Exploitation
An attacker can trigger this vulnerability by supplying a specially crafted ext4 filesystem image. The exploitation involves traversing an inode's extent tree, where the ext4_ext_binsearch_idx function, assuming prior validation, proceeds with a binary search. If eh_entries is zero while eh_depth indicates an internal node, macros like EXT_FIRST_INDEX and EXT_LAST_INDEX return invalid pointers, causing the binary search to read past the allocated buffer [1]. This typically results in a segmentation fault.
Impact
Successful exploitation of this vulnerability leads to a denial of service (DoS) due to a segmentation fault. The out-of-bounds read can crash the process handling the ext4 filesystem image, preventing further operations on the filesystem or related data structures [1].
Mitigation
This vulnerability has been fixed in the lwext4 library. Users should update to a version later than 1.0.0. No specific patch release date is available, but the fix is present in the repository's main branch. There are no known workarounds other than updating the library [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient validation of extent header fields in ext4_ext_binsearch_idx leads to out-of-bounds read."
Attack vector
An attacker can trigger this vulnerability by supplying a specially crafted ext4 filesystem image. The vulnerability occurs when traversing an inode's extent tree, specifically when the `eh_entries` field is zero while `eh_depth` indicates an internal node. This leads to invalid pointer calculations and an out-of-bounds memory read during extent tree traversal, ultimately causing a segmentation fault [ref_id=1].
Affected code
The vulnerability resides in the `ext4_ext_binsearch_idx` function located in `src/ext4_extent.c`. The issue arises from the function assuming the extent header has already been validated, specifically failing to check if the `eh_entries` field is non-zero when `eh_depth` is greater than zero [ref_id=1].
What the fix does
The patch is not available in the provided bundle. The advisory indicates that the vulnerability is caused by the `ext4_ext_binsearch_idx` function not checking if the `eh_entries` field is non-zero when the `eh_depth` is greater than zero. A fix would likely involve adding this validation check before proceeding with the binary search.
Preconditions
- inputA specially crafted ext4 filesystem image.
Reproduction
Steps to reproduce the behavior: ./afl_ext4_mount_read ./sig11_lwext4_ext4_extent_815
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.