CVE-2020-10024Incorrect Comparison in Zephyr

CWE-697Incorrect Comparison3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 74.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Zephyrproject-rtos ZephyrZephyrproject Zephyr
Timeline
PublishedMay 11
Latest updateMay 24

Description

The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5zephyrproject-rtos/zephyr1.14.0unspecified+1
NVDzephyrproject/zephyr1.14.2, 2.1.0+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-5c78-vcj8-vwr5: The arm platform-specific code uses a signed integer comparison when validating system call numbers2022-05-24
CVEList
ARM Platform Uses Signed Integer Comparison When Validating Syscall Numbers2020-05-11
CVE-2020-10024 — Incorrect Comparison in Zephyr | cvebase