Cyber Resilience

CVE-2024-10395

High

Published: 03 February 2025

Published
03 February 2025
Modified
29 October 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0028 51.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10395 is a high-severity Buffer Under-read (CWE-127) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-10395 affects the Zephyr RTOS, specifically in the http_server_get_content_type_from_extension function, which lacks proper validation of the length of user input. This flaw, mapped to CWE-127, carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating high severity due to its potential for significant availability disruption alongside limited confidentiality and integrity impacts.

Remote attackers require no privileges, can exploit it over the network with low complexity and no user interaction, and achieve low-level confidentiality and integrity effects while causing high availability impact, such as denial of service through improper handling of oversized input.

The Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfww-j92m-x8fv provides details on the vulnerability and mitigation guidance.

EU & UK References

Vulnerability details

No proper validation of the length of user input in http_server_get_content_type_from_extension.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing HTTP server component in Zephyr RTOS via malformed/oversized input leading to DoS (and limited C/I impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1673Same product: Zephyrproject Zephyr
CVE-2025-1674Same product: Zephyrproject Zephyr
CVE-2025-1675Same product: Zephyrproject Zephyr
CVE-2026-1678Same product: Zephyrproject Zephyr
CVE-2026-1679Same product: Zephyrproject Zephyr
CVE-2026-5928Shared CWE-127

Affected Assets

zephyrproject
zephyr
≤ 3.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user input lengths at entry points, preventing exploitation of the lack of length checks in http_server_get_content_type_from_extension.

prevent

Mandates timely identification, reporting, and correction of flaws like CVE-2024-10395 in Zephyr RTOS to eliminate the vulnerability.

prevent

Ensures proper error handling for oversized inputs to minimize availability disruptions and prevent denial-of-service from the length validation flaw.

References