CVE-2025-70100
Divide-by-Zero in lwext4 1.0.0 Library
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any impact of the CVE-2025-70100 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-70100 is a divide-by-zero vulnerability in the lwext4 1.0.0 library, specifically in the ext4_block_set_lb_size function located in src/ext4_blockdev.c. This vulnerability occurs when the function processes a malformed ext4 filesystem image that has a logical block size (lb_size) set to zero. Because the function does not validate this input, it performs a division by zero, leading to a Floating-Point Exception (FPE) or a runtime crash.
The flaw is triggered during the mounting or image processing of the ext4 filesystem, causing the program to crash due to the unhandled division-by-zero error.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing applications or systems that use the vulnerable lwext4 library when they attempt to mount or process a specially crafted ext4 filesystem image with a zero logical block size.
An attacker can exploit this by providing a malformed ext4 filesystem image, which leads to a runtime crash or Floating-Point Exception, potentially disrupting normal operations or services relying on this library.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to mount or process a specially crafted ext4 filesystem image that contains a zero logical block size, which triggers a division-by-zero error in the lwext4 library.
One practical detection method is to run the lwext4 fuzzer with the malicious image named sig8_2_lwext4_ext4_blockdev_c_127, which causes an immediate crash due to the division-by-zero error.
For example, on a Kali Linux system with Clang 19.1.7 and lwext4 version 1.0.0, you can reproduce the issue by running the fuzzer against the crafted image to observe the Floating-Point Exception or crash.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-70100 vulnerability, immediate steps include avoiding the mounting or processing of untrusted or malformed ext4 filesystem images that could trigger the divide-by-zero error.
Additionally, applying patches or updates to the lwext4 library that add proper validation for the logical block size (lb_size) to prevent zero values before arithmetic operations is recommended once available.
Until a fix is applied, running the library or applications using it in a controlled environment and avoiding exposure to potentially malicious ext4 images can reduce the risk of denial of service.