CVE-2024-57256

CVE-2024-57256 is an integer overflow vulnerability (CWE-190) in the ext4fs_read_symlink function within Das U-Boot versions prior to 2025.01-rc1. The issue arises when processing a crafted ext4 filesystem featuring an inode size of 0xffffffff, which causes an overflow during a zalloc operation that adds one to an le32 variable. This results in a malloc allocation of zero bytes, enabling a subsequent memory overwrite.

Exploitation requires physical access to the target device (AV:P) and involves high attack complexity (AC:H), with no privileges (PR:N) or user interaction (UI:N) needed. The attack has a changed scope (S:C) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 7.1 under CVSS 3.1. A successful exploit could allow an attacker to overwrite memory, potentially leading to arbitrary code execution or system compromise on affected U-Boot bootloaders.

Mitigation is addressed in a commit (35f75d2a46e5859138c83a75cd2f4141c5479ab9) in the U-Boot repository, which users should apply by updating to Das U-Boot 2025.01-rc1 or later. Announcements on oss-security (2025/02/17) detail the vulnerability disclosure, while Debian LTS tracking (2025/05) indicates backported fixes for affected distributions. Security practitioners should verify bootloader versions in embedded or boot environments and test crafted filesystem inputs during validation.