D3Zd3Z

**Name of the Vulnerable Software and Affected Versions** MCUboot (affected versions not specified) **Description** The issue concerns MCUboot, a secure bootloader for 32-bit microcontrollers, which uses a TLV (tag-length-value) structure to represent image metadata. This structure is divided into protected and unprotected sections, with protected TLV entries included in the image signature to prevent tampering. However, the code fails to distinguish between TLV entries that should be protected and those that should not, allowing an attacker to add unprotected TLV entries that should be protected. The primary protected TLV entries include the dependency indication and the boot record. An attacker could inject a dependency value, causing an otherwise acceptable image to be rejected, or inject a boot record, potentially allowing an image to appear as having properties it should not have. **Recommendations** As a temporary workaround, consider disabling the boot record functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions 2.4.0 and later **Description** The issue is related to an integer underflow in Zephyr's IEEE 802154 fragment reassembly header removal, which can lead to a buffer overflow. This is classified as an integer overflow to buffer overflow, CWE-680. **Recommendations** For Zephyr versions 2.4.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions >= v2.5.0 **Description** A buffer overflow issue exists in the Zephyr USB DFU DNLOAD, specifically a Heap-based Buffer Overflow (CWE-122). **Recommendations** For Zephyr versions >= v2.5.0, consider disabling the USB DFU DNLOAD functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr versions 1.14.2 and later, 2.3.0 and later **Description** The issue concerns a possible read out of bounds in dns read, which is classified as an Out-of-bounds Read. **Recommendations** For Zephyr versions 1.14.2 and later, 2.3.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.