CVE-2025-70100

June 4, 2026, 3:48 p.m.

5.5
Medium

Description

A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.

Product(s) Impacted

Vendor Product Versions
Lwext4
  • Lwext4
  • 1.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-369
Divide By Zero
The product divides a value by zero.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a lwext4 lwext4 1.0.0 / / / / / / /

References

https://github.com/gkostka/lwext4/issues/90
https://github.com/sigdevel/pocs/blob/main/res/lwext4/2/sig8_2_lwext4_ext4_blockdev_c_127
https://infosec.exchange/@sigdevel/116668952003072580
https://github.com/gkostka/lwext4/issues/90

Tags

[email protected]
CWE-369
2026-06-03
CVE-2025-70100

CVSS Score

5.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: June 3, 2026, 2:16 p.m.
Last Modified: June 4, 2026, 3:48 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.