Buffer Overflow Vulnerability in RIOT Operating System Could Lead to Denial of Service or Arbitrary Code Execution
CVE-2024-31225

8.4HIGH

Key Information:

Vendor: Riot-os
Status: Riot
Vendor: CVE Published:; 1 May 2024

What is CVE-2024-31225?

The RIOT operating system, which supports a variety of 8-bit, 16-bit, and 32-bit microcontrollers, contains a vulnerability in its _on_rd_init() function. This function is not equipped with adequate size checks for the _result_buf static buffer during data copying. If an attacker manages to craft a sufficiently long payload, this can lead to a buffer overflow. The implications of this vulnerability include the possibility of denial of service or arbitrary code execution, especially if attacker-controlled inputs traverse security boundaries. Currently, this vulnerability has not been addressed with a patch, and users are strongly encouraged to implement manual bounds checking to mitigate risks.

Affected Version(s)

RIOT <= 2023.10

References

https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/RIOT-OS/RIOT/blob/master/sys/net/appli...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2024/05/07/3

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2024
Vulnerability Reserved
Mar 29, 2024

Riot-os

What is CVE-2024-31225?

Affected Version(s)

References

CVSS V3.1

Timeline