CVE-2024-10395
Published: 03 February 2025
Summary
CVE-2024-10395 is a high-severity Buffer Under-read (CWE-127) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user input lengths at entry points, preventing exploitation of the lack of length checks in http_server_get_content_type_from_extension.
Mandates timely identification, reporting, and correction of flaws like CVE-2024-10395 in Zephyr RTOS to eliminate the vulnerability.
Ensures proper error handling for oversized inputs to minimize availability disruptions and prevent denial-of-service from the length validation flaw.
NVD Description
No proper validation of the length of user input in http_server_get_content_type_from_extension.
Deeper analysisAI
CVE-2024-10395 affects the Zephyr RTOS, specifically in the http_server_get_content_type_from_extension function, which lacks proper validation of the length of user input. This flaw, mapped to CWE-127, carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating high severity due to its potential for significant availability disruption alongside limited confidentiality and integrity impacts.
Remote attackers require no privileges, can exploit it over the network with low complexity and no user interaction, and achieve low-level confidentiality and integrity effects while causing high availability impact, such as denial of service through improper handling of oversized input.
The Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfww-j92m-x8fv provides details on the vulnerability and mitigation guidance.
Details
- CWE(s)