FreeRTOS Kernel Vulnerable to Local Privilege Escalation via Return Oriented Programming
CVE-2024-28115

7.8HIGH

Key Information:

Vendor: Freertos
Status: Freertos-kernel
Vendor: CVE Published:; 7 March 2024

What is CVE-2024-28115?

The FreeRTOS Kernel, a widely used real-time operating system for microcontrollers created by Amazon, has a vulnerability that enables local privilege escalation via Return Oriented Programming techniques. This issue is primarily relevant for versions of the FreeRTOS Kernel up to 10.6.1, specifically affecting ARMv7-M MPU ports and ARMv8-M ports with Memory Protection Unit (MPU) features enabled. If a vulnerability permits code injection, an attacker could exploit this to execute unauthorized code within the system. Amazon has addressed this issue in FreeRTOS Kernel version 10.6.2, introducing a new MPU wrapper to enhance security.

Affected Version(s)

FreeRTOS-Kernel < 10.6.2

References

https://github.com/FreeRTOS/FreeRTOS-Kernel/security/advi...

x_refsource_CONFIRM

https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2024
Vulnerability Reserved
Mar 4, 2024

CVE-2024-28115 Data

JSON

Freertos

What is CVE-2024-28115?

Affected Version(s)

References

CVSS V3.1

Timeline