Buffer Overflow Vulnerability in RIOT Operating System Could Lead to Denial of Service or Arbitrary Code Execution
CVE-2024-32018

8.8HIGH

Key Information:

Vendor

Riot-os

Status
Vendor
CVE Published:
1 May 2024

What is CVE-2024-32018?

A buffer overflow vulnerability has been identified in the RIOT operating system, which supports various microcontroller devices. The vulnerability arises from the use of assertion macros that do not enforce checks in non-debug builds. Specifically, in the nimble_scanlist_update() function, if the specified length len is controlled by an attacker and it exceeds the size of the intended buffer, it can lead to a buffer overflow when the unchecked len is passed to the memcpy() function. This flaw presents multiple security risks, including potential denial of service or arbitrary code execution, if not properly mitigated. Users are recommended to implement manual length checks to secure their applications against this risk.

Affected Version(s)

RIOT <= 2023.10

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-32018 : Buffer Overflow Vulnerability in RIOT Operating System Could Lead to Denial of Service or Arbitrary Code Execution