CVE-2020-27484

Name of the Vulnerable Software and Affected Versions Garmin Forerunner 235 versions prior to 8.20

Description The issue is related to an Integer Overflow in the ConnectIQ TVM component. To exploit this, an attacker must upload a malicious ConnectIQ application to the ConnectIQ store. The ConnectIQ program interpreter fails to check for overflow when allocating the array for the NEWA instruction, resulting in a constrained read/write primitive across the entire MAX32630 address space. A successful exploit would allow a ConnectIQ app store application to escape and perform activities outside the restricted application execution environment.

Recommendations For Garmin Forerunner 235 versions prior to 8.20, update to version 8.20 or later to resolve the issue. As a temporary workaround, consider restricting the installation of ConnectIQ applications from untrusted sources to minimize the risk of exploitation.