Cyber Resilience

CVE-2024-57261

High

Published: 19 February 2025

Published
19 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57261 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Pengutronix (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57261 is an integer overflow vulnerability in the request2size function within common/dlmalloc.c in barebox versions before 2025.01.0. This issue, related to CVE-2024-57258, is classified under CWE-190 (Integer Overflow or Wraparound) and carries a CVSS v3.1 base score of 7.1 (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires physical access to the affected device and a high-complexity attack, with no privileges or user interaction needed. A successful attack can achieve high impacts on confidentiality, integrity, and availability, with a changed scope.

Mitigation is provided in barebox 2025.01.0. The relevant fixing commit is available at https://git.pengutronix.de/cgit/barebox/commit/?id=7cf25e0733f08f68d1bf0ca0c3cf6e2dfe51bd3c, and additional details appear in the barebox mailing list at https://lists.infradead.org/pipermail/barebox/2024-November/048631.html.

EU & UK References

Vulnerability details

In barebox before 2025.01.0, request2size in common/dlmalloc.c has an integer overflow, a related issue to CVE-2024-57258.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40962Shared CWE-190
CVE-2025-0587Shared CWE-190
CVE-2026-4775Shared CWE-190
CVE-2025-30404Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2026-33040Shared CWE-190
CVE-2026-24660Shared CWE-190
CVE-2026-31633Shared CWE-190
CVE-2026-37555Shared CWE-190
CVE-2024-55656Shared CWE-190

Affected Assets

Pengutronix
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of the integer overflow flaw in barebox's dlmalloc request2size function via patching to version 2025.01.0.

prevent

Enforces physical access controls that block the physical access prerequisite (AV:P) needed to exploit the vulnerability.

prevent

Implements memory protections such as execution restrictions and modification detection to mitigate exploitation of the integer overflow leading to potential memory corruption.

References