CVE-2024-42484

Name of the Vulnerable Software and Affected Versions ESP-NOW Component (affected versions not specified)

Description The ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An Out-of-Bound (OOB) vulnerability was discovered in the implementation of the ESP-NOW group type message because there is no check for the addrs num field of the group type message. This can result in memory corruption related attacks. Normally, there are two fields in the group information that need to be checked, i.e., the addrs num field and the addrs list field. Since only the addrs list field is checked, an attacker can send a group type message with an invalid addrs num field, which will cause the message handled by the firmware to be much larger than the current buffer, thus causing a memory corruption issue that goes beyond the payload length.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.