Input Length Validation Flaw in Zephyr Bluetooth Services
CVE-2024-8798

7.5HIGH

Key Information:

Vendor: Zephyrproject-rtos
Status: Zephyr
Vendor: CVE Published:; 16 December 2024

🔔 Create Zephyrproject-rtos Vulnerability Alert

What is CVE-2024-8798?

CVE-2024-8798 is a critical vulnerability affecting the Zephyr Real-Time Operating System (RTOS). This flaw arises from the improper validation of the length of user input specifically within the olcp_ind_handler function located in the Bluetooth Object Transfer Service (OTS) implementation. Exploitation of this vulnerability could lead to overflow attacks, potentially allowing unauthorized access or Denial of Service (DoS) conditions. This vulnerability highlights the importance of ensuring robust input validation practices in software development, especially in connectivity protocols such as Bluetooth.

Affected Version(s)

Zephyr * <= 3.7

References

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2024

JSON