Max-R-B

**Name of the Vulnerable Software and Affected Versions** eswifi (affected versions not specified) **Description** The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space. Oversized sends can overflow `eswifi->buf`, leading to kernel memory corruption. Exploitation requires local code that can call the socket send API; direct remote access is not possible. The issue involves a lack of bounds checking on the payload length when using the socket send functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zephyr (affected versions not specified) **Description** The Zephyr crypto driver contains a flaw where malformed ATAES132A responses with an oversized length field can cause a 52-byte stack buffer overflow. This allows a compromised device or a bus attacker to potentially corrupt kernel memory and hijack execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PX4 autopilot versions prior to 1.17.0-rc2 **Description** PX4 autopilot is a flight control solution for drones. The BST telemetry probe writes a string terminator using a device-provided length without bounds. A malicious BST device can report an oversized `dev name len`, causing a stack overflow in the driver and potentially enabling code execution. **Recommendations** Update to version 1.17.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** PX4 autopilot versions prior to 1.17.0-rc2 **Description** PX4 autopilot is a flight control solution for drones. The Zenoh uORB subscriber allocates a stack-based Variable Length Array (VLA) directly from the incoming payload length without any limitations. A remote Zenoh publisher can exploit this by sending an oversized fragmented message, which forces an unbounded stack allocation and copy operation. This can lead to a stack overflow and subsequent crash of the Zenoh bridge task. **Recommendations** Update to version 1.17.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to alpha.78 **Description** RustFS, a distributed object storage system, had a flaw in its access control mechanism. Specifically, the `get condition values` function improperly trusted the `X-Forwarded-For` and `X-Real-Ip` headers provided by clients without verifying a trusted proxy. This allowed any reachable client to spoof the `aws:SourceIp` and bypass IP-allowlist policies. **Recommendations** Update to version alpha.78 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. An out-of-bounds heap read issue exists in the `cryptography encrypt()` function when processing JSON metadata received from KMC server responses. The problem stems from a flawed iteration pattern within the `strtok` function, specifically `ptr + strlen(ptr) + 1`, which can read one byte beyond the allocated buffer when handling short or malformed metadata strings. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution that uses the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. The `convert hexstring to byte array()` function within the MariaDB SA interface lacks a capacity check when writing decoded bytes into a caller-provided buffer. This can lead to a heap buffer overflow when importing SA fields (e.g., IV, ARSN, ABM) from the database if a malformed or oversized hex string is present. The vulnerable function is `convert hexstring to byte array()`. **Recommendations** Update to CryptoLib version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software-only solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. Versions prior to 1.4.3 contain an out-of-bounds heap read issue within the `cryptography aead encrypt()` function. The issue stems from a flawed `strtok` pattern during KMC AEAD encrypt metadata parsing. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software-only solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the `cryptography encrypt()` function allocates multiple buffers for HTTP requests and JSON parsing that are not freed, resulting in a memory leak. Each call to the function leaks approximately 400 bytes of memory, and sustained traffic can gradually exhaust available memory. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft and a ground station. Before version 1.4.3, the `cryptography encrypt()` and `cryptography decrypt()` functions do not free allocated buffers when the KMC server returns a non-200 HTTP status code. Each failed request results in a memory leak of approximately 467 bytes, potentially leading to memory exhaustion with repeated failures. The issue occurs when interacting with the KMC server. **Recommendations** Update to CryptoLib version 1.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** CryptoLib versions prior to 1.4.3 **Description** CryptoLib is a software solution utilizing the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) for secure communication between a spacecraft and a ground station. The `write callback` function within the KMC crypto service client, prior to version 1.4.3, does not adequately limit the size of reallocated response buffers. This allows a malicious KMC server to send arbitrarily large HTTP responses, leading to excessive memory allocation and potential process termination. The vulnerable component is the libcurl function used for handling HTTP responses. The `write callback` function is specifically affected. **Recommendations** Versions prior to 1.4.3 should be updated to version 1.4.3 or later.