What is CVE-2020-10071?

CVE-2020-10071 is a critical-severity vulnerability in Zephyrproject-rtos Zephyr, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.0/10. Published 2020-06-05.

How severe is CVE-2020-10071?

Critical severity. CVSS v3 base score is 9.0 out of 10.

Buffer overflow in Zephyrproject-rtos Zephyr

CVE-2020-10071

The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0…

Vulnerability class: Buffer Overflow

EPSS: 0.139 (94.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.0 (Critical). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Zephyrproject-rtos Zephyr — versions 2.2.0

Weakness classification (CWE)

References

research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-as… (x_refsource_MISC)
zephyrprojectsec.atlassian.net/browse/ZEPSEC-86 (x_refsource_MISC)
docs.zephyrproject.org/latest/security/vulnerabilities.html (x_refsource_MISC)
github.com/zephyrproject-rtos/zephyr/pull/23821/commits/989c4713ba429aa5105fe47… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-10071?: CVE-2020-10071 is a critical-severity vulnerability in Zephyrproject-rtos Zephyr, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.0/10. Published 2020-06-05.
How severe is CVE-2020-10071?: Critical severity. CVSS v3 base score is 9.0 out of 10.