Infinite Loop Vulnerability in Apache NimBLE Affects Bluetooth Stack or Device
CVE-2024-24746

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Nimble
Vendor: CVE Published:; 6 April 2024

Summary

An infinite loop vulnerability has been identified in the Apache NimBLE GATT server, triggered by specially crafted GATT operations. This flaw can lead to a denial of service within the Bluetooth stack or devices utilizing the affected version. Users are strongly advised to upgrade to version 1.7.0 or higher to mitigate this issue and ensure the stability of their Bluetooth operations.

Affected Version(s)

Apache NimBLE 0 <= 1.6.0

References

https://lists.apache.org/thread/bptkzc0o2ymjk8qqzqdmy39kc...

vendor-advisory

https://github.com/apache/mynewt-nimble/commit/d42a0ebe66...

patch

http://www.openwall.com/lists/oss-security/2024/04/05/2

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 6, 2024
Vulnerability Reserved
Jan 29, 2024

Credit

Baptiste Boyer from Quarkslab Vulnerability Reports team