CVE-2025-24797 PUBLISHED

Meshtastic incorrectly hands malformed packets leads to controlled buffer overflow

Assigner: GitHub_M
Reserved: 23.01.2025 Published: 14.04.2025 Updated: 15.04.2025

Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CVSS Score: 9.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	meshtastic
Product	firmware
Versions	Version < 2.6.2 is affected

References

https://github.com/meshtastic/firmware/security/advisories/GHSA-33hw-xhfh-944r

Problem Types

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE
CWE-122: Heap-based Buffer Overflow CWE