CVE-2020-10019 — Classic Buffer Overflow in Zephyr

CWE-120 — Classic Buffer Overflow3 documents3 sources

Severity

7.8HIGHNVD

CNA8.1

EPSS

0.2%

top 55.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zephyrproject-rtos Zephyr Zephyrproject Zephyr

Timeline

PublishedMay 11

Latest updateMay 24

Description

USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size. This could be used by a malicious USB host to exploit the buffer overflow. See NCC-ZEP-002 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5zephyrproject-rtos/zephyr1.14.1 — unspecified+1

▶NVDzephyrproject/zephyr2.0.0 — 2.1.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-qv66-5g67-qh59: USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size↗2022-05-24

▶

CVEList

Buffer Overflow in USB DFU requested length↗2020-05-11

▶