Cyber Resilience

CVE-2024-8361

High

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0026 50.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8361 is a high-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Silabs (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 50.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2024-8361 is a vulnerability in SiWx91x devices where the SHA2/224 algorithm incorrectly returns a hash of 256 bits instead of the expected 224 bits. This discrepancy triggers a software assertion, resulting in a Denial of Service (DoS) condition. The affected component is part of the cryptographic implementation in these Silicon Labs devices.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction. A remote attacker can trigger the assertion by providing input that invokes the faulty SHA2/224 computation, causing the device to crash. If a watchdog timer is implemented, the device will restart after expiration; otherwise, recovery requires a hard reset. The issue is linked to CWE-131 (incorrect buffer size calculation) and CWE-617 (reachable assertion).

For mitigation details, refer to the Silicon Labs community advisory at https://community.silabs.com/068Vm00000I7zqo. The vulnerability was published on 2025-01-07.

EU & UK References

Vulnerability details

In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is implemented, device will restart…

more

after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of crypto implementation flaw (wrong hash length) triggers assertion and device crash, directly mapping to application/system exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2523Shared CWE-617
CVE-2024-24430Shared CWE-617
CVE-2025-13878Shared CWE-617
CVE-2026-37224Shared CWE-617
CVE-2024-34235Shared CWE-617
CVE-2026-20049Shared CWE-131
CVE-2026-40618Shared CWE-131
CVE-2026-37220Shared CWE-617
CVE-2026-41485Shared CWE-617
CVE-2019-25555Shared CWE-131

Affected Assets

Silabs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the cryptographic implementation flaw in SHA2/224 by requiring identification, reporting, and timely correction of vulnerabilities like CVE-2024-8361.

preventdetect

Protects system availability against the network-exploitable DoS triggered by the faulty SHA2/224 hash computation and assertion failure.

prevent

Ensures error handling for the incorrect 256-bit hash output does not compromise availability through exploitable assertions leading to crashes.

References