Security Advisory: CVE-2025-70101 - Out-of-Bounds Read in lwext4

When traversing the extent tree of a crafted EXT4 image, lwext4 reads past the valid extent index array in ext4_ext_binsearch_idx() due to missing validation of extent header fields, causing a segmentation fault.

Summary:
ext4_ext_binsearch_idx() in ext4_extent.c performs a binary search over extent index entries using pointers derived from the EXT_FIRST_INDEX and EXT_LAST_INDEX macros. These macros compute bounds directly from the eh_entries and eh_depth fields of the extent header without verifying their consistency. A crafted image can encode zero eh_entries alongside a non-zero eh_depth, causing the macros to return invalid pointers and the binary search at line 815 to read outside the allocated buffer. The fault is triggered during directory iteration via ext4_find_extent() and ultimately ext4_dir_entry_next().

CWE:
CWE-125 - Out-of-Bounds Read

Affected Component:

```
src/ext4_extent.c:815
Function: ext4_ext_binsearch_idx()

src/ext4_extent.c:896
Function: ext4_find_extent()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for mounting and directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The out-of-bounds read causes an immediate process crash (SEGV on READ at address 0x521000062a28), resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/91
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/3/sig11_lwext4_ext4_extent_815
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

Security Advisory: CVE-2025-70100 - Divide By Zero in lwext4

When mounting or parsing a specially crafted EXT4 image that encodes a zero logical block size, lwext4 passes the invalid value into ext4_block_set_lb_size(), which performs arithmetic without validation and triggers a divide-by-zero crash.

Summary:
ext4_mount() reads the logical block size from the filesystem superblock and forwards it directly to ext4_block_set_lb_size() in ext4_blockdev.c. ext4_block_set_lb_size() uses lb_size in a division at line 127 without a prior zero-check, so a crafted image that encodes lb_size == 0 causes a Floating Point Exception. The process terminates immediately; under standard builds a SIGFPE is raised, under ASan the signal is intercepted and reported as FPE on address 0x55f254cc29e9.

CWE:
CWE-369 - Divide By Zero

Affected Component:

```
src/ext4_blockdev.c:127
Function: ext4_block_set_lb_size()

src/ext4.c:421
Function: ext4_mount()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for mounting or image processing. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The divide-by-zero causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/90
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/2/sig8_2_lwext4_ext4_blockdev_c_127
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

Security Advisory: CVE-2025-70099 - NULL Pointer Dereference in lwext4

When parsing a specially crafted EXT4 filesystem image with malformed directory entries, lwext4 dereferences a NULL directory entry pointer in ext4_dir_en_get_name_len(), causing a segmentation fault.

Summary:
The inline helper ext4_dir_en_get_name_len() in ext4_dir.h reads the name_len field from a directory entry struct without first validating that the entry pointer is non-NULL. During directory iteration via ext4_dir_entry_next(), processing of a corrupted EXT4 image can produce a NULL (or near-NULL) entry pointer. The subsequent dereference of en->name_len at line 126 triggers a READ access at address 0x6 and crashes the process.

CWE:
CWE-476 - NULL Pointer Dereference

Affected Component:

```
include/ext4_dir.h:126
Function: ext4_dir_en_get_name_len()

src/ext4.c:3233
Function: ext4_dir_entry_next()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for parsing or directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The NULL pointer dereference causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/89
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

Security Advisory: CVE-2025-70116 - NULL Pointer Dereference in GPAC MP4Box

A NULL pointer dereference vulnerability was identified in GPAC MP4Box when processing certain malformed or truncated MP4 files.

Summary:
When MP4Box parses a specially crafted damaged MP4 file, an invalid or incomplete stsd entry may result in missing descriptor data. In the affected code path, gf_media_map_esd() in src/media_tools/isom_tools.c may dereference a NULL pointer, leading to a crash.

Affected component:
src/media_tools/isom_tools.c
Function: gf_media_map_esd()

Affected product:
GPAC MP4Box

Affected version:
The issue was reproduced on GPAC version 2.5-DEV-rev1815-g261ffdd13-master / MP4Box commit 261ffdd135eee8f646eb9326a43438b32a7ad3a1.

Attack conditions:
Exploitation requires local access or another way to make the vulnerable MP4Box instance process a malformed or truncated MP4 file. The issue is triggered during local processing of the crafted media file.

Impact:
Successful exploitation causes a segmentation fault and terminates the MP4Box process, resulting in a local denial of service (DoS). No evidence of code execution has been identified.

CWE:
CWE-476 - NULL Pointer Dereference

Fixed version:
The issue has been fixed in GPAC commit 56d21ea812fd5ba83e6c01777273de4903786fe4. Users are advised to update to a GPAC build that includes this commit or apply the patch manually.

References:
Issue: https://github.com/gpac/gpac/issues/3345
PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364
Fix: https://github.com/gpac/gpac/commit/56d21ea812fd5ba83e6c01777273de4903786fe4

Credits:
@sigdevel

https://www.cve.org/CVERecord?id=CVE-2025-70116

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory