CVE-2023-23299

Name of the Vulnerable Software and Affected Versions GarminOS TVM component in CIQ API versions 1.0.0 through 4.1.7

Description The permission system implemented by the GarminOS TVM component can be bypassed entirely, allowing a malicious application with specially crafted code and data sections to access restricted CIQ modules, call their functions, and disclose sensitive data such as user profile information and GPS coordinates.

Recommendations For CIQ API versions 1.0.0 through 4.1.7, consider restricting access to sensitive data and CIQ modules until a patch is available. As a temporary workaround, disabling the use of specially crafted code and data sections in applications can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.