Max-R-B

**Name of the Vulnerable Software and Affected Versions** eswifi (affected versions not specified) **Description** The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space. Oversized sends can overflow `eswifi->buf`, leading to kernel memory corruption. Exploitation requires local code that can call the socket send API; direct remote access is not possible. The issue involves a lack of bounds checking on the payload length when using the socket send functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The Zephyr crypto driver contains a flaw where malformed ATAES132A responses with an oversized length field can cause a 52-byte stack buffer overflow. This allows a compromised device or a bus attacker to potentially corrupt kernel memory and hijack execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PX4 autopilot versions prior to 1.17.0-rc2 **Description** PX4 autopilot is a flight control solution for drones. The BST telemetry probe writes a string terminator using a device-provided length without bounds. A malicious BST device can report an oversized `dev name len`, causing a stack overflow in the driver and potentially enabling code execution. **Recommendations** Update to version 1.17.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** PX4 autopilot versions prior to 1.17.0-rc2 **Description** PX4 autopilot is a flight control solution for drones. The Zenoh uORB subscriber allocates a stack-based Variable Length Array (VLA) directly from the incoming payload length without any limitations. A remote Zenoh publisher can exploit this by sending an oversized fragmented message, which forces an unbounded stack allocation and copy operation. This can lead to a stack overflow and subsequent crash of the Zenoh bridge task. **Recommendations** Update to version 1.17.0-rc2 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do RustFS anteriores à alpha.78 **Descrição** O RustFS, um sistema de armazenamento de objetos distribuído, apresentava uma falha em seu mecanismo de controle de acesso. Especificamente, a função `get condition values` confiava indevidamente nos cabeçalhos `X-Forwarded-For` e `X-Real-Ip` fornecidos pelos clientes, sem verificar um proxy confiável. Isso permitia que qualquer cliente acessível falsificasse o `aws:SourceIp` e contornasse políticas de lista de permissão de IP. **Recomendações** Atualize para a versão alpha.78 ou posterior.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. An out-of-bounds heap read issue exists in the `cryptography encrypt()` function when processing JSON metadata received from KMC server responses. The problem stems from a flawed iteration pattern within the `strtok` function, specifically `ptr + strlen(ptr) + 1`, which can read one byte beyond the allocated buffer when handling short or malformed metadata strings. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution that uses the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. The `convert hexstring to byte array()` function within the MariaDB SA interface lacks a capacity check when writing decoded bytes into a caller-provided buffer. This can lead to a heap buffer overflow when importing SA fields (e.g., IV, ARSN, ABM) from the database if a malformed or oversized hex string is present. The vulnerable function is `convert hexstring to byte array()`. **Recommendations** Update to CryptoLib version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software-only solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. Versions prior to 1.4.3 contain an out-of-bounds heap read issue within the `cryptography aead encrypt()` function. The issue stems from a flawed `strtok` pattern during KMC AEAD encrypt metadata parsing. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do CryptoLib anteriores à 1.4.3 **Descrição** O CryptoLib é uma solução exclusivamente de software que utiliza o CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) para proteger as comunicações entre uma espaçonave executando o core Flight System (cFS) e uma estação terrestre. Antes da versão 1.4.3, a função `cryptography encrypt()` aloca múltiplos buffers para requisições HTTP e parsing de JSON que não são liberados, resultando em um vazamento de memória. Cada chamada à função vaza aproximadamente 400 bytes de memória, e tráfego sustentado pode gradualmente esgotar a memória disponível. **Recomendações** As versões anteriores à 1.4.3 devem ser atualizadas para a versão 1.4.3 ou posterior.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. Before version 1.4.3, the `cryptography encrypt()` and `cryptography decrypt()` functions do not free allocated buffers when the KMC server returns a non-200 HTTP status code. Each failed request results in a memory leak of approximately 467 bytes, potentially leading to memory exhaustion with repeated failures. The issue occurs when interacting with the KMC server. **Recommendations** Update to CryptoLib version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) for secure communication between a spacecraft and a ground station. The `write callback` function within the KMC crypto service client, prior to version 1.4.3, does not adequately limit the size of reallocated response buffers. This allows a malicious KMC server to send arbitrarily large HTTP responses, leading to excessive memory allocation and potential process termination. The vulnerable component is the libcurl function used for handling HTTP responses. The `write callback` function is specifically affected. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.