CVE-2025-70099

Published: Jun 1, 2026

Modified: Jun 2, 2026

PUBLISHED

Description

A NULL pointer dereference in the ext4_dir_en_get_name_len function in include/ext4_dir.h of lwext4 1.0.0 allows attackers to cause a denial of service by supplying a specially crafted EXT4 filesystem image with malformed directory entries. During directory iteration, the code may fail to validate the directory entry pointer before accessing the name_len field, resulting in a segmentation fault. This affects versions based on (or equivalent to) the 2016-era codebase (1.0.0).

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/gkostka/lwext4/issues/89

https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126

https://infosec.exchange/@sigdevel/116668939725424227

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-70099

Description

Affected Products

References