CVE-2024-10395
Published: 03 February 2025
Summary
CVE-2024-10395 is a high-severity Buffer Under-read (CWE-127) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-10395 affects the Zephyr RTOS, specifically in the http_server_get_content_type_from_extension function, which lacks proper validation of the length of user input. This flaw, mapped to CWE-127, carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating high severity due to its potential for significant availability disruption alongside limited confidentiality and integrity impacts.
Remote attackers require no privileges, can exploit it over the network with low complexity and no user interaction, and achieve low-level confidentiality and integrity effects while causing high availability impact, such as denial of service through improper handling of oversized input.
The Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfww-j92m-x8fv provides details on the vulnerability and mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33600
Vulnerability details
No proper validation of the length of user input in http_server_get_content_type_from_extension.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing HTTP server component in Zephyr RTOS via malformed/oversized input leading to DoS (and limited C/I impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user input lengths at entry points, preventing exploitation of the lack of length checks in http_server_get_content_type_from_extension.
Mandates timely identification, reporting, and correction of flaws like CVE-2024-10395 in Zephyr RTOS to eliminate the vulnerability.
Ensures proper error handling for oversized inputs to minimize availability disruptions and prevent denial-of-service from the length validation flaw.