CVE-2024-10838
Published: 12 March 2025
Summary
CVE-2024-10838 is a critical-severity Wrap or Wraparound (CWE-191) vulnerability in Eclipse Cyclone Data Distribution Service. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing the integer underflow in Eclipse CycloneDDS deserialization by requiring patches like version 0.10.5.
SI-10 enforces validation of deserialization inputs to block malformed data causing integer underflow and out-of-bounds heap reads.
SI-16 implements memory safeguards like ASLR and guard pages to mitigate out-of-bounds reads leaking secrets or causing crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization flaw enables OOB heap reads leaking secret data (credential access via exploitation) and crashes (DoS); directly maps to T1190 for initial access on public-facing services and T1212 for credential access.
NVD Description
An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. This may result into secret data or pointers revealing the layout of the address space to be included into a deserialized data structure,…
more
which may potentially lead to thread crashes or cause denial of service conditions.
Deeper analysisAI
CVE-2024-10838, published on 2025-03-12, is an integer underflow vulnerability (CWE-191) affecting Eclipse CycloneDDS. The flaw occurs during deserialization and enables out-of-bounds reads of heap memory, potentially incorporating secret data or pointers that reveal the address space layout into deserialized data structures.
Any unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). Successful exploitation may leak sensitive information via confidentiality impacts or trigger thread crashes and denial-of-service conditions through availability impacts.
Advisories and patches are detailed in Eclipse CycloneDDS resources, including the GitHub security advisory (GHSA-6jj6-w25p-jc42) and release tag 0.10.5, with CVE assignment tracked at Eclipse GitLab issue 46. Security practitioners should review these for mitigation guidance, such as updating to the patched version.
Details
- CWE(s)