Vulnerability Spotlight: Code execution, information disclosure vulnerabilities in F2FS toolset

Vulnerability Spotlight: Code execution, information disclosure vulnerabilities in F2FS toolset


Vulnerabilities discovered by a Cisco Talos researcher. Blog by Jon Munshaw.



Cisco Talos recently discovered multiple code execution and information disclosure vulnerabilities in various functions of the F2FS toolset. F2FS is a filesystem toolset commonly found in embeddeddevices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target.

In accordance with Cisco’s coordinated disclosure policy, we are disclosing these vulnerabilities without an update from F2FS after the organization failed to meet the 90-day deadline.

Vulnerability details


F2fs-Tools F2fs.Fsck filesystem checking information disclosure vulnerability (TALOS-2020-1046/CVE-2020-6104)


An exploitable information disclosure vulnerability exists in the get_dnode_of_data functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause information disclosure resulting in the disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.


Read the complete vulnerability advisory here for additional information. 


F2fs-Tools F2fs.Fsck multiple devices code execution vulnerability (TALOS-2020-1047/CVE-2020-6105)


An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.


Read the complete vulnerability advisory here for additional information. 


F2fs-Tools F2fs.Fsck ..