Security readout for executives and security teams
Plain-English summary
CVE-2019-5094 is a memory corruption flaw in E2fsprogs, a common Linux filesystem utility set. A maliciously corrupted ext4 partition can trigger heap memory corruption in quota handling, potentially allowing code execution. Business urgency is highest where administrators or automation process untrusted disk images, removable media, or customer-supplied ext4 filesystems.
Executive priority
Treat this as a high-priority infrastructure hygiene issue, not an internet-wide emergency. Patch affected Linux and appliance environments, especially where storage images or removable media cross trust boundaries. No provided evidence supports active exploitation, but successful compromise could be severe.
Technical view
E2fsprogs 1.43.3 through 1.45.3 is affected by a CWE-787 heap out-of-bounds write in quota file functionality. The CVSS vector is local, high-complexity, high-privilege, no-user-interaction, scope-changed, with high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is most likely on Linux hosts, recovery systems, build pipelines, forensic tooling, and appliances using affected E2fsprogs versions to inspect or repair ext4 filesystems. Risk is lower for systems that never process untrusted ext4 partitions or disk images.
Exploitation context
The provided sources describe code execution from a specially crafted or corrupted ext4 partition. CISA KEV status is false in the bundle, and no provided source states active exploitation. The attack requires local access and high privileges, so practical exploitation depends on operational workflows around filesystem handling.
Researcher notes
The key behavior is quota-file parsing in E2fsprogs causing a heap out-of-bounds write when handling a crafted ext4 partition. Validation should focus on version exposure and workflows that invoke affected tools against attacker-controlled filesystems. Avoid assuming network reachability or unauthenticated exploitation from the supplied evidence.
Mitigation direction
- Upgrade E2fsprogs using the relevant Debian, Ubuntu, Fedora, Gentoo, or vendor advisory package.
- Identify appliances or products that embed E2fsprogs and check their vendor guidance.
- Restrict processing of untrusted ext4 partitions, removable media, and disk images on affected systems.
- Run filesystem inspection or recovery workflows in isolated environments until patched.
- Prioritize hosts where privileged automation handles externally supplied storage artifacts.
Validation and detection
- Inventory installed E2fsprogs versions and flag 1.43.3 through 1.45.3.
- Confirm package fixes against applicable Debian, Ubuntu, Fedora, Gentoo, or vendor advisories.
- Review automation that mounts, checks, repairs, or imports ext4 images from untrusted sources.
- Verify privileged operators cannot unknowingly process attacker-controlled ext4 media on vulnerable hosts.
- Document residual exposure for embedded or appliance deployments awaiting vendor updates.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-787: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2019-5094 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H0.86Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
7.5HighVector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- DSA-4535CVE reference · vendor-advisory, x_refsource_DEBIAN
- [debian-lts-announce] 20190928 [SECURITY] [DLA 1935-1] e2fsprogs security updateCVE reference · mailing-list, x_refsource_MLIST
- 20190929 [SECURITY] [DSA 4535-1] e2fsprogs security updateCVE reference · mailing-list, x_refsource_BUGTRAQ
- USN-4142-2CVE reference · vendor-advisory, x_refsource_UBUNTU
- USN-4142-1CVE reference · vendor-advisory, x_refsource_UBUNTU
- FEDORA-2020-a724cc7926CVE reference · vendor-advisory, x_refsource_FEDORA
- FEDORA-2020-01ed02451fCVE reference · vendor-advisory, x_refsource_FEDORA
- GLSA-202003-05CVE reference · vendor-advisory, x_refsource_GENTOO
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887CVE reference · x_refsource_MISC
- https://security.netapp.com/advisory/ntap-20200115-0002/CVE reference · x_refsource_CONFIRM
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Out-of-bounds Write
Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
