QwikSec

Security Database

CVE

CWE

Training

CVE-2024-31225

Published: May 1, 2024

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

8.4

HIGH

Description

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The `_on_rd_init()` function does not implement a size check before copying data to the `_result_buf` static buffer. If an attacker can craft a long enough payload, they could cause a buffer overflow. If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. This issue has yet to be patched. Users are advised to add manual bounds checking.

Vendor	Product	Versions
RIOT-OS	RIOT	affected `<= 2023.10`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965

x_refsource_CONFIRM

https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/cord/lc/cord_lc.c#L218

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2024/05/07/3

http://seclists.org/fulldisclosure/2024/May/7

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.