CVE-2022-31363

Name of the Vulnerable Software and Affected Versions Cypress Bluetooth Mesh SDK version BSA0107 05.01.00-BX8-AMESH-08

Description The issue is related to a buffer overflow that can allow the execution of arbitrary code remotely. It is caused by an out-of-bound write vulnerability during mesh provisioning due to a lack of check for mismatched SegN and TotalLength in Transaction Start PDU. The affected function is pb transport handle frag .

Recommendations For Cypress Bluetooth Mesh SDK version BSA0107 05.01.00-BX8-AMESH-08, as a temporary workaround, consider disabling the pb transport handle frag function until a patch is available. Restrict access to the mesh provisioning feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.