CVE-2024-29195
Published: 26 March 2024
Summary
CVE-2024-29195 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Microsoft Azure C Shared Utility. Its CVSS base score is 6.0 (Medium).
Operationally, ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The azure-c-shared-utility C library, used by the Azure IoT C SDK for AMQP and MQTT communication with Azure IoT Hub, contains a flaw in its parameter-checking logic for buffer length values. An attacker-supplied length can trigger integer wraparound, under-allocation, or a subsequent heap buffer overflow (CWE-120), potentially enabling remote code execution on an IoT device.
Exploitation requires a compromised Azure account that can inject malformed payloads through IoT Hub, the ability to exceed the service’s 128 KB message-size limit, and sufficient control to overwrite executable memory. Under these conditions an attacker can achieve arbitrary code execution on the affected device.
The vulnerability was addressed in commit 1129147c38ac02ad974c4c701a1e01b2141b9fe2 of azure-c-shared-utility; the corresponding GitHub Security Advisory GHSA-m8wp-hc7w-x4xg recommends updating to a patched version of the library.
EPSS for the CVE rose from low values to a peak of 0.0592 on 2025-12-18 before receding to the current 0.0242, indicating a measurable increase in exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26216
Vulnerability details
The azure-c-shared-utility is a C library for AMQP/MQTT communication to Azure Cloud Services. This library may be used by the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices. An attacker can cause an integer wraparound…
more
or under-allocation or heap buffer overflow due to vulnerabilities in parameter checking mechanism, by exploiting the buffer length parameter in Azure C SDK, which may lead to remote code execution. Requirements for RCE are 1. Compromised Azure account allowing malformed payloads to be sent to the device via IoT Hub service, 2. By passing IoT hub service max message payload limit of 128KB, and 3. Ability to overwrite code space with remote code. Fixed in commit https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.