0Xdea

**Name of the Vulnerable Software and Affected Versions** RIOT (affected versions not specified) **Description** The issue is related to a buffer overflow vulnerability in the RIOT operating system, which supports a range of devices typically using 8-bit, 16-bit, and 32-bit microcontrollers. A small typo in the `gcoap dns server proxy get()` function may lead to a buffer overflow in the subsequent `strcpy()`, as the length of the ` uri` string is checked instead of the length of the ` proxy` string. Additionally, the ` gcoap forward proxy copy options()` function does not implement an explicit size check before copying data to the `cep->req etag` buffer, which is `COAP ETAG LENGTH MAX` bytes long. If an attacker can craft input so that `optlen` becomes larger than `COAP ETAG LENGTH MAX`, they can cause a buffer overflow. The impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. **Recommendations** As a temporary workaround, consider adding manual bounds checking to prevent buffer overflows. Restrict access to the vulnerable functions `gcoap dns server proxy get()` and ` gcoap forward proxy copy options()` to minimize the risk of exploitation. Avoid using the `optlen` variable in a way that could cause it to exceed `COAP ETAG LENGTH MAX` until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RIOT (affected versions not specified) **Description** RIOT is a real-time multi-threading operating system that supports a range of devices, typically 8-bit, 16-bit, and 32-bit microcontrollers. The software may be exposed to attacks due to the lack of proper input checks, as assertions are the only line of defense against untrusted input and compile to a no-op on non-debug builds. In the `nimble scanlist update()` function, the `len` variable is checked in an assertion and subsequently used in a call to `memcpy()`. If an attacker provides a larger `len` value while assertions are compiled-out, they can write past the end of the fixed-length `e->ad` buffer, potentially leading to a buffer overflow vulnerability. The impact could range from denial of service to arbitrary code execution. **Recommendations** As a temporary workaround, consider adding manual `len` checking to prevent buffer overflows. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RIOT (affected versions not specified) **Description** The ` on rd init()` function in RIOT does not implement a size check before copying data to the ` result buf` static buffer. This can cause a buffer overflow if an attacker crafts a long enough payload. The impact of this issue could range from denial of service to arbitrary code execution if the unchecked input crosses a security boundary. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider adding manual bounds checking to prevent the buffer overflow.

**Name of the Vulnerable Software and Affected Versions** Eclipse ThreadX versions prior to 6.4.0 **Description** The issue arises from missing parameter checks in the `xQueueCreate()` and `xQueueCreateSet()` functions from the FreeRTOS compatibility API. This could lead to integer wraparound, under-allocations, and heap buffer overflows. **Recommendations** For Eclipse ThreadX versions prior to 6.4.0, update to version 6.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the `xQueueCreate()` and `xQueueCreateSet()` functions until a patch is available. Restrict access to the FreeRTOS compatibility API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Eclipse ThreadX versions prior to 6.4.0 **Description** The issue is related to a missing array size check in the ` Mtxinit()` function within the Xtensa port of Eclipse ThreadX, causing a memory overwrite. The affected file is `ports/xtensa/xcc/src/tx clib lock.c`. **Recommendations** For versions prior to 6.4.0, update to version 6.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the ` Mtxinit()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Eclipse ThreadX NetX Duo versions prior to 6.4.0 **Description** The issue arises when an attacker can control parameters of the ` portable aligned alloc()` function, potentially causing an integer wrap-around and an allocation smaller than expected. This could lead to subsequent heap buffer overflows. **Recommendations** For versions prior to 6.4.0, update to version 6.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the ` portable aligned alloc()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** azure-c-shared-utility (affected versions not specified) **Description** The azure-c-shared-utility library has a vulnerability related to the parameter checking mechanism, which can cause an integer wraparound, under-allocation, or heap buffer overflow. This issue can be exploited by an attacker to achieve remote code execution (RCE) by sending malformed payloads to devices via the IoT Hub service. The requirements for RCE include a compromised Azure account, exceeding the IoT Hub service's maximum message payload limit of 128KB, and the ability to overwrite code space with remote code. The `buffer length` parameter is exploited in the Azure C SDK. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TinyDir versions prior to 1.2.6 **Description** The issue is related to buffer overflows in the `tinydir file open()` function, which can be exploited by a remote attacker to execute arbitrary code. TinyDir is a lightweight C directory and file reader. **Recommendations** For versions prior to 1.2.6, update to version 1.2.6 or later to resolve the issue. As a temporary workaround, consider disabling the `tinydir file open()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zephyr STM32 Crypto driver (affected versions not specified) **Description** A potential buffer overflow vulnerability exists in the Zephyr STM32 Crypto driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The issue is related to potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci core.c. This vulnerability is associated with unverified copying of input data, which may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** A potential buffer overflow vulnerability exists in the Zephyr IEEE 802.15.4 nRF 15.4 driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wifi shell.c (affected versions not specified) **Description** The issue is related to unchecked user input length in the wifi shell.c file, which can cause buffer overflows. The specific API endpoint affected is /subsys/net/l2/wifi/wifi shell.c. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The issue is related to a potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. This vulnerability may allow a remote attacker to execute arbitrary code. The vulnerability is associated with the file subsys/canbus/isotp/isotp.c and is related to a stack-based buffer overflow. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr IPM drivers (affected versions not specified) **Description** The issue involves two potential signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM drivers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The issue concerns potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** A potential off-by-one buffer overflow vulnerability exists in the Zephyr fuse file system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr eS-WiFi driver (affected versions not specified) **Description** The issue concerns two potential buffer overflow vulnerabilities located in the Zephyr eS-WiFi driver source code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The issue concerns potential buffer overflow vulnerabilities in specific locations within the Zephyr codebase, including drivers/usb/device/usb dc native posix.c and subsys/usb/device/class/netusb/function rndis.c. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.