Common Weakness Enumeration

CWE-123

Allowed

Write-what-where Condition

Abstraction: Base · Status: Draft

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

82 vulnerabilities reference this CWE, most recent first.

CVE-2025-7403 (GCVE-0-2025-7403)

Vulnerability from cvelistv5 – Published: 2025-09-19 05:19 – Updated: 2025-09-19 13:09
VLAI
Title
Bluetooth: bt_conn_tx_processor unsafe handling
Summary
Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
Assigner
Impacted products
Vendor Product Version
zephyrproject-rtos Zephyr Affected: * , ≤ 4.1 (git)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-7403",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-19T13:08:58.331257Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-19T13:09:05.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "Zephyr",
          "product": "Zephyr",
          "repo": "https://github.com/zephyrproject-rtos/zephyr",
          "vendor": "zephyrproject-rtos",
          "versions": [
            {
              "lessThanOrEqual": "4.1",
              "status": "affected",
              "version": "*",
              "versionType": "git"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Bluetooth: bt_conn_tx_processor unsafe handling"
            }
          ],
          "value": "Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-19T05:19:18.675Z",
        "orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
        "shortName": "zephyr"
      },
      "references": [
        {
          "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9r46-cqqw-6j2j"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Bluetooth: bt_conn_tx_processor unsafe handling",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
    "assignerShortName": "zephyr",
    "cveId": "CVE-2025-7403",
    "datePublished": "2025-09-19T05:19:18.675Z",
    "dateReserved": "2025-07-10T04:08:30.581Z",
    "dateUpdated": "2025-09-19T13:09:05.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47438 (GCVE-0-2024-47438)

Vulnerability from cvelistv5 – Published: 2024-11-12 20:02 – Updated: 2024-11-12 20:25
VLAI
Title
Substance3D - Painter | Write-what-where Condition (CWE-123)
Summary
Substance3D - Painter versions 10.1.0 and earlier are affected by a Write-what-where Condition vulnerability that could lead to a memory leak. This vulnerability allows an attacker to write a controlled value at a controlled memory location, which could result in the disclosure of sensitive memory content. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition (CWE-123)
Assigner
References
Impacted products
Vendor Product Version
Adobe Substance3D - Painter Affected: 0 , ≤ 10.1.0 (semver)
Create a notification for this product.
adobe substance_3d_painter Affected: 0 , ≤ 10.1.0 (custom)
    cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-11-12 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "substance_3d_painter",
            "vendor": "adobe",
            "versions": [
              {
                "lessThanOrEqual": "10.1.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47438",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T20:16:04.087743Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T20:25:31.310Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Substance3D - Painter",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "10.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-11-12T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Substance3D - Painter versions 10.1.0 and earlier are affected by a Write-what-where Condition vulnerability that could lead to a memory leak. This vulnerability allows an attacker to write a controlled value at a controlled memory location, which could result in the disclosure of sensitive memory content. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 5.5,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 5.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "Write-what-where Condition (CWE-123)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-12T20:02:14.066Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/substance3d_painter/apsb24-86.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Substance3D - Painter | Write-what-where Condition (CWE-123)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2024-47438",
    "datePublished": "2024-11-12T20:02:14.066Z",
    "dateReserved": "2024-09-24T17:40:22.372Z",
    "dateUpdated": "2024-11-12T20:25:31.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45142 (GCVE-0-2024-45142)

Vulnerability from cvelistv5 – Published: 2024-10-09 13:28 – Updated: 2024-10-09 17:29
VLAI
Title
Substance3D - Stager | Write-what-where Condition (CWE-123)
Summary
Substance3D - Stager versions 3.0.3 and earlier are affected by a Write-what-where Condition vulnerability that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability allows an attacker to write a controlled value to an arbitrary memory location, potentially leading to code execution. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition (CWE-123)
Assigner
References
Impacted products
Vendor Product Version
Adobe Substance3D - Stager Affected: 0 , ≤ 3.0.3 (semver)
Create a notification for this product.
adobe substance_3d_stager Affected: 0 , ≤ 3.0.3 (semver)
    cpe:2.3:a:adobe:substance_3d_stager:-:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-10-08 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:adobe:substance_3d_stager:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "substance_3d_stager",
            "vendor": "adobe",
            "versions": [
              {
                "lessThanOrEqual": "3.0.3",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-09T17:25:51.409049Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-09T17:29:06.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Substance3D - Stager",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "3.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-10-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Substance3D - Stager versions 3.0.3 and earlier are affected by a Write-what-where Condition vulnerability that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability allows an attacker to write a controlled value to an arbitrary memory location, potentially leading to code execution. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "Write-what-where Condition (CWE-123)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-09T13:28:45.183Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Substance3D - Stager | Write-what-where Condition (CWE-123)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2024-45142",
    "datePublished": "2024-10-09T13:28:45.183Z",
    "dateReserved": "2024-08-21T23:00:59.350Z",
    "dateUpdated": "2024-10-09T17:29:06.772Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-42479 (GCVE-0-2024-42479)

Vulnerability from cvelistv5 – Published: 2024-08-12 15:07 – Updated: 2024-08-13 13:47
VLAI
Title
llama.cpp allows write-what-where in rpc_server::set_tensor
Summary
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
Assigner
References
Impacted products
Vendor Product Version
ggerganov llama.cpp Affected: < b3561
Create a notification for this product.
ggerganov llama.cpp Affected: 0 , < b3561 (custom)
    cpe:2.3:a:ggerganov:llama.cpp:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ggerganov:llama.cpp:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "llama.cpp",
            "vendor": "ggerganov",
            "versions": [
              {
                "lessThan": "b3561",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42479",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T18:14:47.266581Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T13:47:10.838Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "llama.cpp",
          "vendor": "ggerganov",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c b3561"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "CWE-123: Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T15:07:19.150Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj"
        },
        {
          "name": "https://github.com/ggerganov/llama.cpp/commit/b72942fac998672a79a1ae3c03b340f7e629980b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ggerganov/llama.cpp/commit/b72942fac998672a79a1ae3c03b340f7e629980b"
        }
      ],
      "source": {
        "advisory": "GHSA-wcr5-566p-9cwj",
        "discovery": "UNKNOWN"
      },
      "title": "llama.cpp allows write-what-where in rpc_server::set_tensor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-42479",
    "datePublished": "2024-08-12T15:07:19.150Z",
    "dateReserved": "2024-08-02T14:13:04.616Z",
    "dateUpdated": "2024-08-13T13:47:10.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-20741 (GCVE-0-2024-20741)

Vulnerability from cvelistv5 – Published: 2024-02-15 10:12 – Updated: 2024-08-06 15:36
VLAI
Title
Adobe Substance 3D Paint ICO Parsing Access Violation Write Vulnerability
Summary
Substance3D - Painter versions 9.1.1 and earlier are affected by a Write-what-where Condition vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition (CWE-123)
Assigner
References
Impacted products
Vendor Product Version
Adobe Substance3D - Painter Affected: 0 , ≤ 9.1.1 (semver)
Create a notification for this product.
Date Public
2024-02-13 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:59:42.909Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/substance3d_painter/apsb24-04.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-20741",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-22T05:00:37.467064Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-06T15:36:36.143Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Substance3D - Painter",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "9.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-02-13T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Substance3D - Painter versions 9.1.1 and earlier are affected by a Write-what-where Condition vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "NOT_DEFINED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "Write-what-where Condition (CWE-123)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-15T10:12:16.875Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/substance3d_painter/apsb24-04.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Adobe Substance 3D Paint ICO Parsing Access Violation Write Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2024-20741",
    "datePublished": "2024-02-15T10:12:16.875Z",
    "dateReserved": "2023-12-04T16:52:22.972Z",
    "dateUpdated": "2024-08-06T15:36:36.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-20141 (GCVE-0-2024-20141)

Vulnerability from cvelistv5 – Published: 2025-02-03 03:23 – Updated: 2025-02-03 16:14
VLAI
Summary
In V5 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291402; Issue ID: MSV-2073.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "PHYSICAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-20141",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-03T16:09:38.857762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-03T16:14:10.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6885, MT6893, MT8167, MT8167S, MT8175, MT8185, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8395, MT8666, MT8667, MT8673, MT8675, MT8678, MT8765, MT8766, MT8768, MT8771, MT8775, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8795T, MT8797, MT8798, MT8893",
          "vendor": "MediaTek, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "Android 12.0, 13.0, 14.0, 15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In V5 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291402; Issue ID: MSV-2073."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "CWE-123 Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-03T03:23:56.024Z",
        "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "shortName": "MediaTek"
      },
      "references": [
        {
          "url": "https://corp.mediatek.com/product-security-bulletin/February-2025"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
    "assignerShortName": "MediaTek",
    "cveId": "CVE-2024-20141",
    "datePublished": "2025-02-03T03:23:56.024Z",
    "dateReserved": "2023-11-02T13:35:35.184Z",
    "dateUpdated": "2025-02-03T16:14:10.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-20119 (GCVE-0-2024-20119)

Vulnerability from cvelistv5 – Published: 2024-11-04 01:49 – Updated: 2024-11-04 10:22
VLAI
Summary
In mms, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09062301; Issue ID: MSV-1620.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
Assigner
Impacted products
Vendor Product Version
MediaTek, Inc. MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8676 Affected: Android 12.0, 13.0, 14.0, 15.0
Create a notification for this product.
mediatek mt6739 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6761 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6765 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6768 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6779 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6779:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6781 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6785 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6785:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6789 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6833 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6835 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6853 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6855 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6873 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6873:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6877 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6883 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6885 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6889 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6893 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt8676 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt8676:-:*:*:*:*:*:*:*
Create a notification for this product.
google android Affected: 12.0
Affected: 13.0
Affected: 14.0
Affected: 15.0
    cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6739",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6761",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6765",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6768",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6779:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6779",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6781",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6785:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6785",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6789",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6833",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6835",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6853",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6855",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6873:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6873",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6877",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6883",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6885",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6889",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6893",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt8676:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt8676",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*",
              "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*",
              "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*",
              "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "android",
            "vendor": "google",
            "versions": [
              {
                "status": "affected",
                "version": "12.0"
              },
              {
                "status": "affected",
                "version": "13.0"
              },
              {
                "status": "affected",
                "version": "14.0"
              },
              {
                "status": "affected",
                "version": "15.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-20119",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-04T10:21:08.734520Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T10:22:09.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8676",
          "vendor": "MediaTek, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "Android 12.0, 13.0, 14.0, 15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In mms, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09062301; Issue ID: MSV-1620."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "CWE-123 Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T01:49:32.806Z",
        "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "shortName": "MediaTek"
      },
      "references": [
        {
          "url": "https://corp.mediatek.com/product-security-bulletin/November-2024"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
    "assignerShortName": "MediaTek",
    "cveId": "CVE-2024-20119",
    "datePublished": "2024-11-04T01:49:32.806Z",
    "dateReserved": "2023-11-02T13:35:35.179Z",
    "dateUpdated": "2024-11-04T10:22:09.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-20118 (GCVE-0-2024-20118)

Vulnerability from cvelistv5 – Published: 2024-11-04 01:49 – Updated: 2024-11-04 10:23
VLAI
Summary
In mms, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09062392; Issue ID: MSV-1621.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
Assigner
Impacted products
Vendor Product Version
MediaTek, Inc. MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8676, MT8792 Affected: Android 12.0, 13.0, 14.0, 15.0
Create a notification for this product.
mediatek mt6739 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6761 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6765 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6768 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6779 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6779:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6781 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6785 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6785:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6789 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6833 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6835 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6853 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6855 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6873 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6873:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6877 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6883 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6885 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6889 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt6893 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt8676 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt8676:-:*:*:*:*:*:*:*
Create a notification for this product.
mediatek mt8792 Affected: 0 , ≤ * (custom)
    cpe:2.3:h:mediatek:mt8792:-:*:*:*:*:*:*:*
Create a notification for this product.
google android Affected: 12.0
Affected: 13.0
Affected: 14.0
Affected: 15.0
    cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6739",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6761",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6765",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6768",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6779:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6779",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6781",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6785:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6785",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6789",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6833",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6835",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6853",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6855",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6873:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6873",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6877",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6883",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6885",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6889",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt6893",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt8676:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt8676",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:mediatek:mt8792:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mt8792",
            "vendor": "mediatek",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*",
              "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*",
              "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*",
              "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "android",
            "vendor": "google",
            "versions": [
              {
                "status": "affected",
                "version": "12.0"
              },
              {
                "status": "affected",
                "version": "13.0"
              },
              {
                "status": "affected",
                "version": "14.0"
              },
              {
                "status": "affected",
                "version": "15.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-20118",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-04T10:22:56.539116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T10:23:47.722Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8676, MT8792",
          "vendor": "MediaTek, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "Android 12.0, 13.0, 14.0, 15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In mms, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09062392; Issue ID: MSV-1621."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "CWE-123 Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T01:49:30.053Z",
        "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "shortName": "MediaTek"
      },
      "references": [
        {
          "url": "https://corp.mediatek.com/product-security-bulletin/November-2024"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
    "assignerShortName": "MediaTek",
    "cveId": "CVE-2024-20118",
    "datePublished": "2024-11-04T01:49:30.053Z",
    "dateReserved": "2023-11-02T13:35:35.179Z",
    "dateUpdated": "2024-11-04T10:23:47.722Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-6563 (GCVE-0-2024-6563)

Vulnerability from cvelistv5 – Published: 2024-07-08 15:09 – Updated: 2024-08-01 21:41
VLAI
Title
Buffer Overflow Arbitrary Write
Summary
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C . In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
Impacted products
Vendor Product Version
Renesas rcar_gen3_v2.5 Affected: c2f286820471ed276c57e603762bd831873e5a17 , ≤ c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 (git)
Create a notification for this product.
renesas rcar_gen3_firmware Affected: v2.5
    cpe:2.3:o:renesas:rcar_gen3_firmware:v2.5:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Ilay levi
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:renesas:rcar_gen3_firmware:v2.5:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rcar_gen3_firmware",
            "vendor": "renesas",
            "versions": [
              {
                "status": "affected",
                "version": "v2.5"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6563",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-08T15:29:36.318090Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T16:32:55.399Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:41:03.975Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://asrg.io/security-advisories/cve-2024-6563/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "arm-trusted-firmware",
          "product": "rcar_gen3_v2.5",
          "programFiles": [
            "https://github.com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.c"
          ],
          "repo": "https://github.com/renesas-rcar/arm-trusted-firmware/",
          "vendor": "Renesas",
          "versions": [
            {
              "lessThanOrEqual": "c9fb3558410032d2660c7f3b7d4b87dec09fe2f2",
              "status": "affected",
              "version": "c2f286820471ed276c57e603762bd831873e5a17",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Ilay levi"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C\"\u003ehttps://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i...\u003c/a\u003e\u003c/tt\u003e.\u003cbr\u003e\n\n\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files  https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-549",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-549 Local Execution of Code"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "CWE-123: Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-08T15:13:27.519Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://asrg.io/security-advisories/cve-2024-6563/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Buffer Overflow Arbitrary Write",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2024-6563",
    "datePublished": "2024-07-08T15:09:51.326Z",
    "dateReserved": "2024-07-08T15:06:43.647Z",
    "dateUpdated": "2024-08-01T21:41:03.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-40262 (GCVE-0-2022-40262)

Vulnerability from cvelistv5 – Published: 2022-09-20 17:35 – Updated: 2025-05-27 18:13
VLAI
Title
The arbitrary write vulnerability in S3Resume2Pei leads to arbitrary code execution during PEI phase.
Summary
A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: S3Resume2Pei SHA256: 7bb29f05534a8a1e010443213451425098faebd45948a4642db969b19d0253fc Module GUID: 89E549B0-7CFE-449D-9BA3-10D8B2312D71
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-123 - Write-what-where Condition
Assigner
References
Impacted products
Vendor Product Version
AMI Aptio Affected: 5.x
Create a notification for this product.
Date Public
2022-08-11 00:00
Credits
Binarly efiXplorer team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:14:40.079Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.ami.com/security-center/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.binarly.io/advisories/BRLY-2022-009"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-40262",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-27T18:12:31.153646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-27T18:13:02.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Aptio",
          "vendor": "AMI",
          "versions": [
            {
              "status": "affected",
              "version": "5.x"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Binarly efiXplorer team"
        }
      ],
      "datePublic": "2022-08-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: S3Resume2Pei SHA256: 7bb29f05534a8a1e010443213451425098faebd45948a4642db969b19d0253fc Module GUID: 89E549B0-7CFE-449D-9BA3-10D8B2312D71"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-123",
              "description": "CWE-123 Write-what-where Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-20T17:35:35.000Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.ami.com/security-center/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.binarly.io/advisories/BRLY-2022-009"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "The arbitrary write vulnerability in S3Resume2Pei leads to arbitrary code execution during PEI phase.",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "DATE_PUBLIC": "2022-08-11T01:03:00.000Z",
          "ID": "CVE-2022-40262",
          "STATE": "PUBLIC",
          "TITLE": "The arbitrary write vulnerability in S3Resume2Pei leads to arbitrary code execution during PEI phase."
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Aptio",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "5.x",
                            "version_value": "5.x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AMI"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Binarly efiXplorer team"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: S3Resume2Pei SHA256: 7bb29f05534a8a1e010443213451425098faebd45948a4642db969b19d0253fc Module GUID: 89E549B0-7CFE-449D-9BA3-10D8B2312D71"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-123 Write-what-where Condition"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ami.com/security-center/",
              "refsource": "MISC",
              "url": "https://www.ami.com/security-center/"
            },
            {
              "name": "https://www.binarly.io/advisories/BRLY-2022-009",
              "refsource": "MISC",
              "url": "https://www.binarly.io/advisories/BRLY-2022-009"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2022-40262",
    "datePublished": "2022-09-20T17:35:36.008Z",
    "dateReserved": "2022-09-08T00:00:00.000Z",
    "dateUpdated": "2025-05-27T18:13:02.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

Mitigation
Operation

Use OS-level preventative functionality integrated after the fact. Not a complete solution.

No CAPEC attack patterns related to this CWE.