CVE-2026-10645

Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2 fetch direntry() (subsys/fs/ext2/ext2 diskops.c), the code only checks de name len <= EXT2 MAX FILE NAME and then copies the name with memcpy without validating the structural relationship between de rec len, de name len, and the directory block boundary (for example that de rec len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find dir entry() and ext2 get direntry() (subsys/fs/ext2/ext2 impl.c) then advance traversal using the unvalidated de rec len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de rec len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.