CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-57262: In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem...

7.1 CVSS

Description

In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite, a related issue to CVE-2024-57256.

Classification

CVE ID: CVE-2024-57262

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor: Pengutronix

Product: barebox

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 4.12% (scored less or equal to compared to others)

EPSS Date: 2025-03-20 (when was this score calculated)

References

https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d8
https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d87ba6f88a9ea50e71f107b514ff4e

Timeline

2025-02-20 00:31:06 UTC
CVE

In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem...