What is CVE-2020-10070?

CVE-2020-10070 is a critical-severity vulnerability in Zephyrproject-rtos Zephyr, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.0/10. Published 2020-06-05.

How severe is CVE-2020-10070?

Critical severity. CVSS v3 base score is 9.0 out of 10.

Buffer overflow in Zephyrproject-rtos Zephyr

CVE-2020-10070

In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.

Vulnerability class: Buffer Overflow

EPSS: 0.065 (91.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.0 (Critical). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Zephyrproject-rtos Zephyr — versions 2.2.0

Weakness classification (CWE)

References

research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-as… (x_refsource_MISC)
zephyrprojectsec.atlassian.net/browse/ZEPSEC-85 (x_refsource_MISC)
docs.zephyrproject.org/latest/security/vulnerabilities.html (x_refsource_MISC)
github.com/zephyrproject-rtos/zephyr/pull/23821/commits/0b39cbf3c01d7feec9d0dd7… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-10070?: CVE-2020-10070 is a critical-severity vulnerability in Zephyrproject-rtos Zephyr, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.0/10. Published 2020-06-05.
How severe is CVE-2020-10070?: Critical severity. CVSS v3 base score is 9.0 out of 10.