CVE-2025-70099 Overview
CVE-2025-70099 is a NULL pointer dereference vulnerability [CWE-476] in the ext4_dir_en_get_name_len function defined in include/ext4_dir.h of lwext4 1.0.0. The flaw allows a remote attacker to trigger a denial of service by supplying a crafted EXT4 filesystem image containing malformed directory entries. During directory iteration, the affected code fails to validate the directory entry pointer before reading the name_len field, producing a segmentation fault. The issue affects code based on the 2016-era lwext4 1.0.0 codebase.
Critical Impact
Attackers can crash any application or embedded system that mounts an attacker-supplied EXT4 image using lwext4, resulting in service disruption on devices that depend on the library for filesystem access.
Affected Products
- lwext4 version 1.0.0
- Forks and downstream projects based on the lwext4 2016 codebase
- Embedded systems and firmware that integrate lwext4 for EXT4 filesystem support
Discovery Timeline
- 2026-06-01 - CVE-2025-70099 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2025-70099
Vulnerability Analysis
lwext4 is a portable EXT2/3/4 filesystem implementation used in embedded systems, bootloaders, and userspace tooling. The ext4_dir_en_get_name_len inline accessor in include/ext4_dir.h reads the name_len member from an ext4_dir_en structure during directory traversal. When the library iterates entries inside a directory block, the iterator can advance past valid data when offsets, record lengths, or entry counts within the on-disk structure are malformed.
The accessor dereferences the entry pointer directly without first verifying that the pointer references a valid in-bounds entry. A crafted EXT4 image can therefore steer the iterator to an invalid address, and the subsequent read of name_len triggers a segmentation fault. The result is a process-level denial of service rather than memory corruption or code execution, which aligns with the impact profile of the assigned CWE-476.
Root Cause
The root cause is missing pointer and bounds validation in the directory entry accessor path. The on-disk EXT4 directory layout encodes record length (rec_len) and name_len fields that the library trusts when walking entries. Because ext4_dir_en_get_name_len does not confirm the entry pointer lies within the parent directory block before dereferencing, a malformed rec_len chain or a truncated block produces an out-of-bounds or NULL access during iteration.
Attack Vector
Exploitation requires the victim system to mount or parse a crafted EXT4 filesystem image. In embedded deployments, this can occur when a device automounts removable media, processes a downloaded image, or accepts a filesystem blob over a network interface that ultimately feeds lwext4. No authentication or user interaction is required at the library boundary, and the crash occurs during normal directory enumeration.
No verified public exploit code is provided in authoritative references. A proof-of-concept image and discussion are referenced in the GitHub Issue Discussion and GitHub PoC Code.
Detection Methods for CVE-2025-70099
Indicators of Compromise
- Repeated segmentation faults (SIGSEGV) in processes or firmware components that invoke lwext4 directory iteration routines.
- Crash logs referencing ext4_dir_en_get_name_len or surrounding directory iteration symbols in lwext4.
- Unexpected termination of services immediately after mounting or scanning an EXT4 image from untrusted media or network sources.
Detection Strategies
- Inventory all binaries and firmware images for statically or dynamically linked copies of lwext4 1.0.0 using software composition analysis.
- Monitor kernel and userspace crash telemetry for SIGSEGV events correlated with EXT4 mount or parse operations.
- Hash-check shipped EXT4 images and reject filesystem blobs from untrusted sources at the application layer.
Monitoring Recommendations
- Forward dmesg, journald, and embedded device watchdog logs to a central log store and alert on crash loops in filesystem-handling processes.
- Track process restart frequency for services that consume user-supplied filesystem images and flag sustained spikes.
- Capture core dumps where policy allows so responders can confirm crashes originate inside lwext4 directory parsing code.
How to Mitigate CVE-2025-70099
Immediate Actions Required
- Identify every product and firmware build that includes lwext4 1.0.0 or a downstream fork of the 2016-era codebase.
- Disable automatic mounting of EXT4 images from removable media or untrusted network paths until a fix is deployed.
- Sandbox lwext4 consumers so that crashes do not affect adjacent services or persistent device state.
Patch Information
No official vendor advisory or patched release is listed in the NVD entry at publication time. Maintainers and integrators should track the upstream GitHub Issue Discussion for a fix and apply a local patch that validates directory entry pointers and rec_len bounds before dereferencing name_len in ext4_dir_en_get_name_len. Rebuild and redistribute affected firmware once the fix is verified against the referenced PoC image.
Workarounds
- Restrict filesystem mount operations to images originating from trusted, signed sources.
- Add a pre-parse validator that checks EXT4 superblock and directory block integrity before passing data to lwext4.
- Run lwext4-based parsers in an isolated process with automatic restart and rate limiting to contain denial-of-service impact.
# Configuration example: restrict automount of untrusted EXT4 media on Linux-based embedded hosts
# /etc/udev/rules.d/99-block-untrusted-ext4.rules
SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="ext4", ENV{ID_BUS}=="usb", ENV{UDISKS_IGNORE}="1"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

