CVE-2024-57262

HIGH

Barebox <2025.01.0 - Memory Corruption

Title source: llm

Description

In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite, a related issue to CVE-2024-57256.

References (2)

Core 2

Core References

Patch

https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d8

Patch

https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d87ba6f88a9ea50e71f107b514ff4e

Scores

CVSS v3 7.1

EPSS 0.0027

EPSS Percentile 19.1%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-190

Status published

Products (1)

Pengutronix/barebox < 2025.01.0

Published Feb 19, 2025

Tracked Since Feb 18, 2026