Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <0dba2c78-44ea-f268-c1eb-5a7484a8d9f0@apache.org>
Date: Tue, 26 Nov 2024 08:17:26 +0000
From: Szymon Janc <janc@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-51569: Apache NimBLE: Lack of input sanitization leading
 to out-of-bound reads in Number of Completed Packets HCI event handler 

Severity: low

Affected versions:

- Apache NimBLE through 1.7.0

Description:

Out-of-bounds Read vulnerability in Apache NimBLE.

Missing proper validation of HCI Number Of Completed Packets could lead to out-of-bound access when parsing HCI event and invalid read from HCI transport memory.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.


Users are recommended to upgrade to version 1.8.0, which fixes the issue.

Credit:

Eunkyu Lee (reporter)

References:

https://mynewt.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-51569

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.