LiveActive security incident?Get immediate response
CVE Record

CVE-2019-5094: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3.

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2019-5094 is a memory corruption flaw in E2fsprogs, a common Linux filesystem utility set. A maliciously corrupted ext4 partition can trigger heap memory corruption in quota handling, potentially allowing code execution. Business urgency is highest where administrators or automation process untrusted disk images, removable media, or customer-supplied ext4 filesystems.

Executive priority

Treat this as a high-priority infrastructure hygiene issue, not an internet-wide emergency. Patch affected Linux and appliance environments, especially where storage images or removable media cross trust boundaries. No provided evidence supports active exploitation, but successful compromise could be severe.

Technical view

E2fsprogs 1.43.3 through 1.45.3 is affected by a CWE-787 heap out-of-bounds write in quota file functionality. The CVSS vector is local, high-complexity, high-privilege, no-user-interaction, scope-changed, with high confidentiality, integrity, and availability impact.

Likely exposure

Exposure is most likely on Linux hosts, recovery systems, build pipelines, forensic tooling, and appliances using affected E2fsprogs versions to inspect or repair ext4 filesystems. Risk is lower for systems that never process untrusted ext4 partitions or disk images.

Exploitation context

The provided sources describe code execution from a specially crafted or corrupted ext4 partition. CISA KEV status is false in the bundle, and no provided source states active exploitation. The attack requires local access and high privileges, so practical exploitation depends on operational workflows around filesystem handling.

Researcher notes

The key behavior is quota-file parsing in E2fsprogs causing a heap out-of-bounds write when handling a crafted ext4 partition. Validation should focus on version exposure and workflows that invoke affected tools against attacker-controlled filesystems. Avoid assuming network reachability or unauthenticated exploitation from the supplied evidence.

Mitigation direction

  • Upgrade E2fsprogs using the relevant Debian, Ubuntu, Fedora, Gentoo, or vendor advisory package.
  • Identify appliances or products that embed E2fsprogs and check their vendor guidance.
  • Restrict processing of untrusted ext4 partitions, removable media, and disk images on affected systems.
  • Run filesystem inspection or recovery workflows in isolated environments until patched.
  • Prioritize hosts where privileged automation handles externally supplied storage artifacts.

Validation and detection

  • Inventory installed E2fsprogs versions and flag 1.43.3 through 1.45.3.
  • Confirm package fixes against applicable Debian, Ubuntu, Fedora, Gentoo, or vendor advisories.
  • Review automation that mounts, checks, repairs, or imports ext4 images from untrusted sources.
  • Verify privileged operators cannot unknowingly process attacker-controlled ext4 media on vulnerable hosts.
  • Document residual exposure for embedded or appliance deployments awaiting vendor updates.
Prepared
Confidence
high
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-787: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-5094 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
11Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H0.86Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2019-5094Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/aE2fsprogsE2fsprogs 1.43.3 - 1.45.3Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-787 · source CWE mapping

Out-of-bounds Write

Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.