Cyber Posture

CVE-2024-57261

High

Published: 19 February 2025

Published
19 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0002 6.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57261 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Pengutronix (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, reporting, and correction of the integer overflow flaw in barebox's dlmalloc request2size function via patching to version 2025.01.0.

PE-3 Physical Access Control good match
prevent

Enforces physical access controls that block the physical access prerequisite (AV:P) needed to exploit the vulnerability.

SI-16 Memory Protection partial match
prevent

Implements memory protections such as execution restrictions and modification detection to mitigate exploitation of the integer overflow leading to potential memory corruption.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

In barebox before 2025.01.0, request2size in common/dlmalloc.c has an integer overflow, a related issue to CVE-2024-57258.

Deeper analysisAI

CVE-2024-57261 is an integer overflow vulnerability in the request2size function within common/dlmalloc.c in barebox versions before 2025.01.0. This issue, related to CVE-2024-57258, is classified under CWE-190 (Integer Overflow or Wraparound) and carries a CVSS v3.1 base score of 7.1 (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires physical access to the affected device and a high-complexity attack, with no privileges or user interaction needed. A successful attack can achieve high impacts on confidentiality, integrity, and availability, with a changed scope.

Mitigation is provided in barebox 2025.01.0. The relevant fixing commit is available at https://git.pengutronix.de/cgit/barebox/commit/?id=7cf25e0733f08f68d1bf0ca0c3cf6e2dfe51bd3c, and additional details appear in the barebox mailing list at https://lists.infradead.org/pipermail/barebox/2024-November/048631.html.

Details

CWE(s)
CWE-190

Affected Products

Pengutronix
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-41602Shared CWE-190
CVE-2025-24156Shared CWE-190
CVE-2026-27889Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2026-41416Shared CWE-190
CVE-2026-27784Shared CWE-190
CVE-2026-0031Shared CWE-190
CVE-2024-57255Shared CWE-190
CVE-2024-55656Shared CWE-190
CVE-2026-24660Shared CWE-190

References