CVE-2025-70100
Analyzed Analyzed - Analysis Complete
Divide-by-Zero in lwext4 1.0.0 Library

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: MITRE

Description
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2025-70100
EUVD
EUVD-2025-210054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gkostka lwext4 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70100 is a divide-by-zero vulnerability in the lwext4 1.0.0 library, specifically in the ext4_block_set_lb_size function located in src/ext4_blockdev.c. This vulnerability occurs when the function processes a malformed ext4 filesystem image that has a logical block size (lb_size) set to zero. Because the function does not validate this input, it performs a division by zero, leading to a Floating-Point Exception (FPE) or a runtime crash.

The flaw is triggered during the mounting or image processing of the ext4 filesystem, causing the program to crash due to the unhandled division-by-zero error.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing applications or systems that use the vulnerable lwext4 library when they attempt to mount or process a specially crafted ext4 filesystem image with a zero logical block size.

An attacker can exploit this by providing a malformed ext4 filesystem image, which leads to a runtime crash or Floating-Point Exception, potentially disrupting normal operations or services relying on this library.

Detection Guidance

This vulnerability can be detected by attempting to mount or process a specially crafted ext4 filesystem image that contains a zero logical block size, which triggers a division-by-zero error in the lwext4 library.

One practical detection method is to run the lwext4 fuzzer with the malicious image named sig8_2_lwext4_ext4_blockdev_c_127, which causes an immediate crash due to the division-by-zero error.

For example, on a Kali Linux system with Clang 19.1.7 and lwext4 version 1.0.0, you can reproduce the issue by running the fuzzer against the crafted image to observe the Floating-Point Exception or crash.

Compliance Impact

The provided information does not specify any impact of the CVE-2025-70100 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2025-70100 vulnerability, immediate steps include avoiding the mounting or processing of untrusted or malformed ext4 filesystem images that could trigger the divide-by-zero error.

Additionally, applying patches or updates to the lwext4 library that add proper validation for the logical block size (lb_size) to prevent zero values before arithmetic operations is recommended once available.

Until a fix is applied, running the library or applications using it in a controlled environment and avoiding exposure to potentially malicious ext4 images can reduce the risk of denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart