HIGH 7.5

CVE-2025-70099: NULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)

A vulnerability in the lwext4 library (version 1.0.0) can crash applications that process specially crafted EXT4 filesystem images. The flaw occurs when the code attempts to read file information from a corrupted directory entry without first verifying the entry pointer exists. An attacker could provide a malicious filesystem image to trigger this crash, disrupting service availability. This is a denial-of-service issue with no data theft or system compromise risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-29

NVD description (verbatim)

A NULL pointer dereference in the ext4_dir_en_get_name_len function in include/ext4_dir.h of lwext4 1.0.0 allows attackers to cause a denial of service by supplying a specially crafted EXT4 filesystem image with malformed directory entries. During directory iteration, the code may fail to validate the directory entry pointer before accessing the name_len field, resulting in a segmentation fault. This affects versions based on (or equivalent to) the 2016-era codebase (1.0.0).

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-70099 is a NULL pointer dereference in the ext4_dir_en_get_name_len function located in include/ext4_dir.h of lwext4 1.0.0. During directory iteration, the function fails to validate that a directory entry pointer is non-NULL before dereferencing it to access the name_len field. When processing a specially crafted EXT4 filesystem image containing malformed directory entries, this validation gap leads to a segmentation fault. The vulnerability stems from the 2016-era codebase architecture and affects the directory parsing logic.

Business impact

Organizations using lwext4 (a lightweight EXT4 filesystem library) face availability risks. Any application embedding lwext4 that processes untrusted filesystem images—such as disk imaging tools, container runtimes, forensic platforms, or embedded storage managers—could be crashed by a malicious image. This creates a denial-of-service vector that could interrupt critical workflows, disrupt automated batch processing, or be weaponized in multi-stage attacks. The impact is particularly acute in cloud environments or edge devices where lwext4 may be used in storage orchestration or recovery tooling.

Affected systems

lwext4 version 1.0.0 and any application or service that directly embeds or links against this library version are affected. Specific vendor products are not listed in current advisories, suggesting the vulnerability affects a broad ecosystem of open-source and proprietary tools that have integrated lwext4. Organizations should audit their supply chain for lwext4 dependencies, particularly in embedded systems, container images, disk utilities, and storage platforms. Versions after 1.0.0 may or may not contain the fix; consult the lwext4 project repository for confirmation.

Exploitability

Exploitability is straightforward but requires delivery of a crafted filesystem image. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility and low attack complexity. An attacker needs only to supply a malformed EXT4 image to trigger the crash—no authentication, user interaction, or local access is required. In practice, exploitability depends on exposure: applications that accept filesystem images from untrusted sources (e.g., user uploads, network shares, container images) face immediate risk. Isolated systems that only process filesystem images from trusted internal sources face lower risk.

Remediation

Immediate action: identify all applications and services in your environment that depend on lwext4 1.0.0 or equivalent versions. Contact the library maintainers or the projects embedding lwext4 to obtain patched versions. As of the current advisory, a specific patched version number is not confirmed; verify with the lwext4 project repository or the relevant vendor. In the interim, restrict filesystem image processing to validated and scanned sources where possible, and consider implementing input validation wrappers around EXT4 parsing operations. Monitor for upstream patches and plan deployment within your change management cycle.

Patch guidance

Begin by determining which software components in your environment use lwext4. Check the lwext4 project repository (https://github.com/gkostka/lwext4) for patches released after this advisory. If patched versions are available, prioritize deployment to systems that process untrusted or user-supplied filesystem images. For embedded or containerized deployments, rebuild and redeploy affected images with the patched library. If a patched lwext4 version is unavailable or delays are expected, implement application-level safeguards: validate filesystem metadata before parsing, run parsing operations in sandboxed processes with minimal privileges, and monitor for segmentation faults in logging and telemetry. Coordinate patching timelines with downstream projects that may be waiting for updates.

Detection guidance

Monitor application logs and system coredumps for segmentation faults (SIGSEGV) occurring in lwext4 directory parsing functions or the ext4_dir_en_get_name_len function. Enable detailed logging on any storage or filesystem processing tools that use lwext4. Track failed filesystem mount or parsing attempts, especially when processing images from external or untrusted sources. Network-based detection is limited; focus on host-based signals: process crashes, abnormal termination codes, and memory violation exceptions tied to EXT4 operations. If forensic capabilities are available, capture and analyze crash dumps for stack traces indicating the vulnerable code path.

Why prioritize this

This vulnerability merits HIGH priority (CVSS 7.5) due to several factors: (1) Low barrier to exploitation—any application can be crashed by a malformed image; (2) Wide potential blast radius—lwext4 is a general-purpose library used across embedded systems, containers, and storage tools; (3) Denial-of-service impact in automated or critical workflows can cascade; (4) The 2016-era codebase suggests extended deployment lifetime in legacy and embedded systems. However, impact is limited to availability; confidentiality and integrity are unaffected. Prioritize patching systems exposed to untrusted filesystem images. Systems processing only internal, validated images can follow a standard maintenance cadence.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a HIGH severity: network-accessible (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N, UI:N), unavailable scope (S:U), and high availability impact (A:H). No confidentiality (C:N) or integrity (I:N) impact occurs. The score is appropriate for a denial-of-service vulnerability in a library with broad reach. However, practical risk depends on deployment: a crashed parsing service in a fault-tolerant architecture may have lower real-world impact than a single-threaded embedded application. Adjust prioritization based on your application's role and resilience profile.

Frequently asked questions

Does this vulnerability affect the latest version of lwext4?

The advisory specifically targets lwext4 1.0.0 and 2016-era equivalent codebases. Later releases may or may not include the fix. Check the lwext4 project's changelog or contact the maintainer to confirm the status of your specific version. Do not assume that 'latest' is patched without verification.

Can this vulnerability be exploited over the network?

Yes, if the vulnerable application accepts filesystem images over the network. The CVSS vector indicates network accessibility (AV:N). However, the attacker must successfully deliver the crafted image and have the application process it. Systems with network-exposed storage services (cloud storage, NAS, container registries) are at higher risk than isolated local deployments.

What should we do if we cannot immediately patch?

Implement input validation and sandboxing: restrict filesystem image processing to trusted sources, run parsing in isolated processes with dropped privileges, and monitor for crashes. Implement rate limiting on filesystem operations to reduce denial-of-service impact. These are temporary mitigations; patching should remain the primary goal within your maintenance window.

Does this affect my cloud storage or container platform?

Only if the platform uses lwext4 internally for EXT4 filesystem operations. Many cloud platforms use abstracted storage layers and do not directly expose lwext4. Review your platform's documentation or contact support to confirm lwext4 usage. Container images that embed lwext4 tools (e.g., disk utilities) should be rebuilt with patched versions.

This analysis is provided for informational purposes and reflects the state of knowledge as of the advisory publication date (2026-06-01). Specific vendor products and patched version numbers were not provided in the source advisory; verify patch availability and affected software versions directly with upstream maintainers and your vendors. CVSS scores are provided by the advisory authority; real-world risk may vary based on deployment context, network exposure, and compensating controls. SEC.co does not warrant the completeness or timeliness of this analysis. Always refer to official vendor advisories and your organization's security policies for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).