Heap Buffer Overflow Vulnerability in Eclipse ThreadX NetX Duo Before 6.4.0
CVE-2024-2452

9.8CRITICAL

Key Information:

Vendor: Eclipse Foundation
Status: Threadx
Vendor: CVE Published:; 26 March 2024

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2024-2452?

A vulnerability exists in Eclipse ThreadX NetX Duo prior to version 6.4.0, where manipulation of parameters in the __portable_aligned_alloc() function can lead to an integer wrap-around. This condition may inadvertently allocate memory smaller than intended, resulting in the potential for heap buffer overflows. Such overflows can allow attackers to execute arbitrary code, potentially compromising the system’s integrity and confidentiality.

Affected Version(s)

ThreadX 0 < 6.4.0

References

https://github.com/eclipse-threadx/netxduo/security/advis...

http://seclists.org/fulldisclosure/2024/May/35

http://www.openwall.com/lists/oss-security/2024/05/28/1

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2024
Vulnerability Reserved
Mar 14, 2024

Credit

Marco Ivaldi