Description
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
Published: 2026-06-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A divide‑by‑zero flaw exerts itself in the ext4_block_set_lb_size function of the lwext4 1.0.0 library. When a zero logical block size is encountered in a malformed ext4 image, the library triggers a floating‑point exception under sanitizers or crashes in standard builds, rendering the system or application unable to complete the mount or image processing operation. The vulnerability is a classic denial‑of‑service attack that destroys system availability without compromising confidentiality or integrity.

Affected Systems

The vulnerability affects the lwext4 1.0.0 filesystem library. No vendor or product parent is listed, so any application directly linking against this library version is at risk. The flaw is present in the source file ext4_blockdev.c and has no known alternative library version that mitigates it.

Risk and Exploitability

The EPSS score is not available and the flaw is not listed in CISA KEV. With a CVSS score of 5.5, the vulnerability is assessed as medium severity, indicating a moderate risk to systems that rely on lwext4 when presented with a malformed ext4 image. The attack vector is inferred to be a crafted ext4 filesystem image supplied to a process that loads or mounts the image via the vulnerable library, which could originate from a malicious user or an untrusted input channel to the application. Successful exploitation would stop the victim program or service from completing the mount or image processing operation, resulting in a denial of service.

Generated by OpenCVE AI on June 3, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the lwext4 library to a patched version or a later release that fixes the divide‑by‑zero check in ext4_block_set_lb_size.
  • If an update cannot be applied immediately, add a runtime check before invoking ext4_block_set_lb_size to ensure the logical block size is greater than zero and terminate safely if it is not.
  • Configure the application to reject or quarantine malformed ext4 images before the library processes them, limiting the opportunity for an attacker to trigger the crash.
  • Monitor system logs for floating‑point exceptions or abnormal core dumps, and restrict permissions on the binary that mounts ext4 images to prevent unprivileged users from triggering the flaw.

Generated by OpenCVE AI on June 3, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Divide‑by‑Zero in lwext4 Ext4 Block Size Validation Leading to DoS

Wed, 03 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gkostka
Gkostka lwext4
Vendors & Products Gkostka
Gkostka lwext4

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Divide‑by‑Zero in lwext4 Ext4 Block Size Validation Leading to DoS
Weaknesses CWE-369

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
References

Subscriptions

Gkostka Lwext4
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T17:34:25.964Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70100

cve-icon Vulnrichment

Updated: 2026-06-03T17:34:22.031Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-03T14:16:31.217

Modified: 2026-06-04T15:48:43.743

Link: CVE-2025-70100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T21:00:06Z

Weaknesses