CVE-2024-57262

HIGH EPSS 19.3%

Published Feb 19, 20251y ago · Modified Jun 17, 20261w ago

7.1 CVSS 3.1

High

Published Feb 19, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite, a related issue to CVE-2024-57256.

CVSS Details

Base Score

7.1

Exploitability

0.5

Impact

6.0

Vector string

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector Physical

Attack Complexity High

Privileges Required None

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

19.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-190 Integer Overflow or Wraparound Numeric Error

References 2

git.pengutronix.de https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d8
git.pengutronix.de https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d87ba6f88a9ea50e71f107b514ff4e

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.