Ceolin

**Name of the Vulnerable Software and Affected Versions** SocketCAN (affected versions not specified) **Description** The SocketCAN implementation contains an out-of-bounds read issue. The function `zcan sendto ctx()` validates the length of a user-provided buffer containing a `socketcan frame` object using only a `NET ASSERT` statement. In production builds where assertions are disabled, a userspace application can control the length passed to a `sendto` syscall to provide an incomplete or truncated frame. This causes the `socketcan to can frame()` function to dereference fields beyond the buffer end, potentially leading to denial-of-service crashes or the leakage of adjacent memory as the parsed contents are transmitted over the network. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** Sockets created with `IPPROTO TLS 1 3` may negotiate a TLS 1.2 connection if both TLS versions are enabled in Kconfig. This occurs because the socket-level protocol selection is not propagated to mbedTLS, such as through the `mbedtls ssl conf min tls version` function. Consequently, the ClientHello advertises both versions, allowing a peer to establish a TLS 1.2 connection. Applications expecting `IPPROTO TLS 1 3` to enforce TLS 1.3 may silently use TLS 1.2, leaving them exposed to weaknesses specific to TLS 1.2. **Recommendations** Restrict the `TLS CIPHERSUITE LIST` socket option to TLS 1.3-only cipher suites as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Versions prior to a fix are affected. Description A race condition during TCP connection teardown can cause tcp recv() to operate on a connection that has already been released. If tcp conn search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp backlog is full() and dereferenced without validation, leading to a crash. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** (affected versions not specified) **Description** The function responsible for handling BLE (Bluetooth Low Energy) connection responses does not verify whether a response is expected, relying solely on identifier matching. This means the device does not confirm if it initiated a connection request before processing a response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bluetooth Low Energy (BLE) (affected versions not specified) **Description** A flaw exists in the handling of Bluetooth Low Energy (BLE) fixed channels, such as SMP or ATT. An attacker can exploit this issue, causing the BLE target device to attempt to disconnect a fixed channel, which is disallowed by the Bluetooth specification. This results in undefined behavior, potentially leading to assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. (affected versions not specified) **Description** The software exhibits a flaw due to improper validation or sanitization of parameters. These parameters are subsequently utilized in internal operations, potentially leading to security issues. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A denial-of-service issue in the dns implementation could cause an infinite loop. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The issue is related to errors in the representation of given functions in the Bluetooth protocol implementation of the Zephyr real-time operating system. It may allow a remote attacker to gain unauthorized access to protected information. In the Bluetooth mesh implementation, if a provisionee has a public key sent out-of-band (OOB), it can be sent back during provisioning and will be accepted by the provisionee. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The issue is related to the Bluetooth protocol implementation, specifically with the bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands. This may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash or potential remote code execution (RCE) on the Host layer. Additionally, there is a buffer overflow issue in the Zephyr real-time operating system's Bluetooth protocol implementation, which can be exploited by a remote attacker to cause a denial of service or execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions mentioned. **Description** A missing nullptr-check in the handle ra input function can cause a nullptr-deref. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bluetooth HCI (affected versions not specified) **Description** The issue is related to inconsistent handling of error cases in Bluetooth HCI, which may lead to a double free condition of a network buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bluetooth software (affected versions not specified) **Description** A malicious or defective Bluetooth controller can cause buffer overreads in most functions that process HCI command responses. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BlueZ (affected versions not specified) **Description** A malicious or defective Bluetooth controller can cause a Denial of Service due to unchecked input in `le read buffer size complete`. This issue is related to the handling of input in the Bluetooth controller, which can lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue arises from the lack of a check to see if slot 0 is being uploaded from the device to the host. This oversight allows for the easy retrieval of unencrypted firmware when using encrypted images. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to an error in the condition of the last if-statement in the function `smp check keys()`. This error caused the function to reject current keys if all requirements were unmet. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or version is mentioned. **Description** The issue occurs in the `tcp flags` function within the `subsys/net/ip/tcp.c` file. When the incoming parameter `flags` is set to ECN or CWR, it causes an out-of-bounds write of a byte with the value zero to the `buf`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions >= v2.6.0 **Description** The issue is related to a buffer overflow in the USB device class, specifically a heap-based buffer overflow. This is classified as CWE-122. **Recommendations** For Zephyr versions >= v2.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions >= v2.6.0 **Description** The RNDIS USB device class includes a buffer overflow vulnerability, specifically a Heap-based Buffer Overflow (CWE-122). **Recommendations** For Zephyr versions >= v2.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Zephyr versions 2.5.0 and later Description: The issue is related to Buffer Access with Incorrect Length Value in Zephyr, which is described as CWE-805. This problem affects Zephyr versions 2.5.0 and later. Recommendations: For Zephyr versions 2.5.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Zephyr versions 1.14.2 and later Zephyr versions 2.4.0 and later Zephyr versions 2.5.0 and later Description: The issue allows overwriting an existing bond during the keys distribution phase when the identity address of the bond is known. This is due to the use of multiple resources with duplicate identifiers. Recommendations: For Zephyr versions 1.14.2 and later, consider disabling the bond overwrite functionality until a patch is available. For Zephyr versions 2.4.0 and later, restrict access to the keys distribution phase to minimize the risk of exploitation. For Zephyr versions 2.5.0 and later, avoid using the identity address of the bond in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.