Cyber Resilience

CVE-2024-29195

Medium

Published: 26 March 2024

Published
26 March 2024
Modified
15 December 2025
KEV Added
Patch
CVSS Score v3.1 6.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0242 85.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29195 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Microsoft Azure C Shared Utility. Its CVSS base score is 6.0 (Medium).

Operationally, ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The azure-c-shared-utility C library, used by the Azure IoT C SDK for AMQP and MQTT communication with Azure IoT Hub, contains a flaw in its parameter-checking logic for buffer length values. An attacker-supplied length can trigger integer wraparound, under-allocation, or a subsequent heap buffer overflow (CWE-120), potentially enabling remote code execution on an IoT device.

Exploitation requires a compromised Azure account that can inject malformed payloads through IoT Hub, the ability to exceed the service’s 128 KB message-size limit, and sufficient control to overwrite executable memory. Under these conditions an attacker can achieve arbitrary code execution on the affected device.

The vulnerability was addressed in commit 1129147c38ac02ad974c4c701a1e01b2141b9fe2 of azure-c-shared-utility; the corresponding GitHub Security Advisory GHSA-m8wp-hc7w-x4xg recommends updating to a patched version of the library.

EPSS for the CVE rose from low values to a peak of 0.0592 on 2025-12-18 before receding to the current 0.0242, indicating a measurable increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

The azure-c-shared-utility is a C library for AMQP/MQTT communication to Azure Cloud Services. This library may be used by the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices. An attacker can cause an integer wraparound…

more

or under-allocation or heap buffer overflow due to vulnerabilities in parameter checking mechanism, by exploiting the buffer length parameter in Azure C SDK, which may lead to remote code execution. Requirements for RCE are 1. Compromised Azure account allowing malformed payloads to be sent to the device via IoT Hub service, 2. By passing IoT hub service max message payload limit of 128KB, and 3. Ability to overwrite code space with remote code. Fixed in commit https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
azure c shared utility
≤ 2023-12-01

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References