CVE-2025-70100
Analyzed Analyzed - Analysis Complete
Divide-by-Zero in lwext4 1.0.0 Library

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: MITRE

Description
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2025-70100
EUVD
EUVD-2025-210054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gkostka lwext4 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any impact of the CVE-2025-70100 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2025-70100 vulnerability, immediate steps include avoiding the mounting or processing of untrusted or malformed ext4 filesystem images that could trigger the divide-by-zero error.

Additionally, applying patches or updates to the lwext4 library that add proper validation for the logical block size (lb_size) to prevent zero values before arithmetic operations is recommended once available.

Until a fix is applied, running the library or applications using it in a controlled environment and avoiding exposure to potentially malicious ext4 images can reduce the risk of denial of service.

Executive Summary

CVE-2025-70100 is a divide-by-zero vulnerability in the lwext4 1.0.0 library, specifically in the ext4_block_set_lb_size function located in src/ext4_blockdev.c. This vulnerability occurs when the function processes a malformed ext4 filesystem image that has a logical block size (lb_size) set to zero. Because the function does not validate this input, it performs a division by zero, leading to a Floating-Point Exception (FPE) or a runtime crash.

The flaw is triggered during the mounting or image processing of the ext4 filesystem, causing the program to crash due to the unhandled division-by-zero error.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing applications or systems that use the vulnerable lwext4 library when they attempt to mount or process a specially crafted ext4 filesystem image with a zero logical block size.

An attacker can exploit this by providing a malformed ext4 filesystem image, which leads to a runtime crash or Floating-Point Exception, potentially disrupting normal operations or services relying on this library.

Detection Guidance

This vulnerability can be detected by attempting to mount or process a specially crafted ext4 filesystem image that contains a zero logical block size, which triggers a division-by-zero error in the lwext4 library.

One practical detection method is to run the lwext4 fuzzer with the malicious image named sig8_2_lwext4_ext4_blockdev_c_127, which causes an immediate crash due to the division-by-zero error.

For example, on a Kali Linux system with Clang 19.1.7 and lwext4 version 1.0.0, you can reproduce the issue by running the fuzzer against the crafted image to observe the Floating-Point Exception or crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart