Primary

Context

Barebox Integer Overflow Vulnerability in ext4 Filesystem Handling

Vulnerability

Patched

A vulnerability exists in barebox versions prior to 2025.01.0 within the ext4 filesystem handling, specifically in the 'ext4fs_read_symlink' function. The issue arises from an integer overflow when the function processes a crafted ext4 filesystem that includes an inode size of 0xffffffff. This overflow occurs because the function adds one to a little-endian 32-bit variable, leading to a zero allocation when the 'zalloc' function is called. Consequently, the function later uses the invalid inode size to copy data, allowing for a memory overwrite. This vulnerability is related to CVE-2024-57256.

Impact

Exploitation of this vulnerability allows for a memory overwrite, which could potentially be used to execute arbitrary code or cause a denial-of-service condition.

Remediation

Users can upgrade to barebox version 2025.01.0 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Barebox Integer Overflow Vulnerability in ext4 Filesystem Handling

Vulnerability

Impact

Remediation

Affected Products

barebox

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating