Cyber Resilience

CVE-2023-34398

High

Published: 13 February 2025

Published
13 February 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0026 49.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34398 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-34398 is a null pointer dereference vulnerability (CWE-476) in the Boost library's serialization functionality, affecting the Mercedes-Benz NTG6 head-unit. The issue arises in functions that import or export profile settings over USB, where certain table values are processed as serialized archives according to the Boost library, leading to the dereference during deserialization.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it can be exploited remotely over a network by unauthenticated attackers with low complexity and no user interaction. Exploitation triggers a crash in the affected component, resulting in denial-of-service with high availability impact but no confidentiality or integrity effects.

Mitigation details are outlined in the Kaspersky advisory at https://securelist.com/mercedes-benz-head-unit-security-research/115218/.

EU & UK References

Vulnerability details

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Some values of this table are serialized archive according boost library. The boost library contains a vulnerability/null pointer dereference.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference during Boost deserialization of USB profile settings directly enables remote exploitation to crash the head-unit component, matching Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-34400Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2023-34402Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2023-34397Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2023-34399Same product: Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476

Affected Assets

mercedes-benz
headunit ntg6 mercedes-benz user experience
≤ 2021

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, testing, and installation of patches to remediate the specific null pointer dereference vulnerability in the Boost library's serialization during USB profile import.

prevent

Validates imported profile settings as serialized archives over USB to prevent malformed data from triggering the deserialization null pointer dereference and crash.

prevent

Ensures secure error handling during Boost deserialization to avoid denial-of-service crashes from null pointer dereferences without compromising availability.

References