CVE-2024-57262

Name of the Vulnerable Software and Affected Versions barebox versions prior to 2025.01.0

Description The issue is related to an integer overflow in the ext4fs read symlink function when handling a crafted ext4 filesystem with an inode size of 0xffffffff. This results in a malloc of zero and a subsequent memory overwrite. The problem arises from adding one to an le32 variable, which causes the overflow.

Recommendations For versions prior to 2025.01.0, update to version 2025.01.0 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted ext4 filesystems to minimize the risk of exploitation.