Integer Underflow Vulnerability in Eclipse CycloneDDS by Eclipse Foundation
CVE-2024-10838

8.8HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Cyclone Dds
Vendor: CVE Published:; 12 March 2025

Summary

This vulnerability arises from an integer underflow occurring during the deserialization process, enabling unauthenticated users to read out-of-bounds heap memory. This exposure can lead to the unauthenticated retrieval of sensitive data or pointers, potentially disclosing the layout of the address space within a deserialized data structure. Consequences may include thread crashes or triggering denial of service conditions, highlighting the critical need for timely patches and security measures.

Affected Version(s)

Eclipse Cyclone DDS 0 < 0.10.5

References

https://github.com/eclipse-cyclonedds/cyclonedds/security...

https://github.com/eclipse-cyclonedds/cyclonedds/releases...

https://gitlab.eclipse.org/security/cve-assignement/-/iss...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Mar 12, 2025
Vulnerability Reserved
Nov 5, 2024

Credit

Robert Femmer