Description
Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then copies the name with memcpy without validating the structural relationship between de_rec_len, de_name_len, and the directory block boundary (for example that de_rec_len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find_dir_entry() and ext2_get_direntry() (subsys/fs/ext2/ext2_impl.c) then advance traversal using the unvalidated de_rec_len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de_rec_len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.
Published: 2026-06-22
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zephyr’s ext2 directory–entry parser does not fully validate the on‑disk layout before copying an entry’s name or advancing the traversal pointer. The code checks only the name length and then uses a raw memcpy based on an unverified record length field. This allows an attacker to craft a malformed directory entry that causes an out‑of‑bounds read in the directory block buffer or a zero‑progress infinite loop, resulting in a denial‑of‑service condition. The weakness is a classic out‑of‑bounds read (CWE‑125).

Affected Systems

The flaw resides in Zephyr RTOS’s ext2 filesystem implementation. Any instance of Zephyr that mounts an ext2 filesystem from media supplied by an attacker is susceptible. No vendor‑specific version data is supplied, so all affected releases of Zephyr that use the ext2 code path are potentially impacted.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not actively exploited at the time of this analysis. An attacker must supply a crafted ext2 image and gain sufficient privilege to mount it in Zephyr, typically via physical or network access to the device. Consequently, the attack vector is local or remote depending on the ability to place the image on a device that will mount it, and the exploitation likelihood is low absent a privileged foothold.

Generated by OpenCVE AI on June 23, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Zephyr release that addresses the ext2 parsing bug
  • Prevent mounting of untrusted ext2 filesystems or enforce strict integrity checks on ext2 images before mounting
  • Apply code‑level defensive checks to validate de_rec_len, de_name_len, and block boundaries when parsing directory entries

Generated by OpenCVE AI on June 23, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then copies the name with memcpy without validating the structural relationship between de_rec_len, de_name_len, and the directory block boundary (for example that de_rec_len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find_dir_entry() and ext2_get_direntry() (subsys/fs/ext2/ext2_impl.c) then advance traversal using the unvalidated de_rec_len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de_rec_len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.
Title fs: ext2: Missing structural validation of directory entries can cause out-of-bounds read and zero-progress directory traversal
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-22T23:48:11.747Z

Reserved: 2026-06-02T15:11:47.668Z

Link: CVE-2026-10645

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T02:30:16Z

Weaknesses