Buffer Overflow Vulnerability in RIOT Operating System Could Lead to Denial of Service or Arbitrary Code Execution
CVE-2024-32018

8.8HIGH

Key Information:

Vendor

Riot-os

Status
Riot
Vendor
CVE Published:
1 May 2024

What is CVE-2024-32018?

A buffer overflow vulnerability has been identified in the RIOT operating system, which supports various microcontroller devices. The vulnerability arises from the use of assertion macros that do not enforce checks in non-debug builds. Specifically, in the nimble_scanlist_update() function, if the specified length len is controlled by an attacker and it exceeds the size of the intended buffer, it can lead to a buffer overflow when the unchecked len is passed to the memcpy() function. This flaw presents multiple security risks, including potential denial of service or arbitrary code execution, if not properly mitigated. Users are recommended to implement manual length checks to secure their applications against this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

RIOT <= 2023.10

References

https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/RIOT-OS/RIOT/blob/master/pkg/nimble/sc...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2024/05/07/3

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.