6.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
0.0004 Low
EPSS
Percentile
12.6%
In IoT Devices SDK, there is an implementation of calloc() that doesn’t have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.
[
{
"product": "Google Cloud IoT Device SDK for Embedded C",
"vendor": "Google LLC",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]