Out-of-Bound Vulnerability in ESP-NOW Wi-Fi Communication Protocol

CVE-2024-42484

Summary

The ESP-NOW component is responsible for providing a connectionless Wi-Fi communication protocol, which is prone to an Out-of-Bound (OOB) vulnerability due to improper validation of input fields. Specifically, an issue arises from the lack of checks on the addrs_num field in group type messages. When this field is not validated correctly, it allows attackers to exploit the vulnerability by sending a group type message that includes an invalid addrs_num. This oversight can result in the handling of a message that exceeds the current buffer size, leading to memory corruption attacks. Proper validation for both addrs_num and addrs_list fields is essential to mitigate the risk associated with this vulnerability.

References