Cyber Resilience

CVE-2024-23933

Medium

Published: 23 September 2024

Published
23 September 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0635 91.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23933 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sony XAV-AX5500 CarPlay (inferred from references). Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-23933 is a stack-based buffer overflow vulnerability in the Apple CarPlay protocol implementation on Sony XAV-AX5500 devices. The flaw, tracked as ZDI-CAN-23238 and assigned CWE-121, stems from insufficient validation of the length of user-supplied data before it is copied into a fixed-length stack buffer, enabling arbitrary code execution in the context of the device. It carries a CVSS 3.1 score of 6.8.

The vulnerability can be exploited by physically present attackers without authentication or user interaction. Successful exploitation grants the ability to run arbitrary code on the affected head unit by supplying malformed CarPlay TLV data over the protocol interface.

A firmware update addressing the issue is available from Sony at the referenced support page, and additional details are published in the corresponding Zero Day Initiative advisory. The EPSS score has remained flat at 0.0635 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

Sony XAV-AX5500 CarPlay TLV Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists…

more

within the implementation of the Apple CarPlay protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23238

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Sony
XAV-AX5500 CarPlay
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References