Security Vulnerabilities
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
CVSS Score
5.5
EPSS Score
0.002
Published
2026-06-03
An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability occurs due to insufficient validation of extent header fields before performing a binary search over extent index entries, which can result in invalid pointer calculations and an out-of-bounds memory read during extent tree traversal.
CVSS Score
6.5
EPSS Score
0.004
Published
2026-06-03
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information via unspecified vectors.
CVSS Score
4.1
EPSS Score
0.003
Published
2026-06-03
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2026-06-03
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors.
CVSS Score
7.8
EPSS Score
0.001
Published
2026-06-03
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-06-03
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors.
CVSS Score
7.8
EPSS Score
0.001
Published
2026-06-03
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.
CVSS Score
8.7
EPSS Score
0.004
Published
2026-06-03
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
CVSS Score
8.7
EPSS Score
0.004
Published
2026-06-03
The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
CVSS Score
7.2
EPSS Score
0.004
Published
2026-06-03