Volerion logoVolerion
Volerion logoVolerion

lwext4 NULL Pointer Dereference Vulnerability in Directory Entry Handling

Vulnerability

A NULL pointer dereference vulnerability has been identified in lwext4 version 1.0.0, specifically in the 'ext4_dir_en_get_name_len' function within 'include/ext4_dir.h'. This vulnerability allows attackers to cause a denial-of-service condition by providing a specially crafted EXT4 filesystem image with malformed directory entries. The issue arises during directory iteration, where the code fails to properly validate the directory entry pointer before accessing the 'name_len' field, leading to a segmentation fault.

Impact

Exploitation of this vulnerability causes an immediate process crash, resulting in a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by mounting an EXT4 image that contains malformed directory entries using the 'afl_ext4_mount_read' command. This process will trigger the NULL pointer dereference in the 'ext4_dir_en_get_name_len' function, causing a segmentation fault.

Remediation

Users are advised to upgrade to lwext4 version 1.0.1, which addresses this vulnerability.

Added: Jun 1, 2026, 9:34 PM
Updated: Jun 1, 2026, 9:34 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.6
remediation
0.0
relevance
9.7
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.