CVE-2023-34398

High

Published: 13 February 2025

Published

13 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0026 48.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Some values of this table are serialized archive according boost library. The boost library contains a vulnerability/null pointer dereference.

Security Summary

CVE-2023-34398 is a null pointer dereference vulnerability (CWE-476) in the Boost library's serialization functionality, affecting the Mercedes-Benz NTG6 head-unit. The issue arises in functions that import or export profile settings over USB, where certain table values are processed as serialized archives according to the Boost library, leading to the dereference during deserialization.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it can be exploited remotely over a network by unauthenticated attackers with low complexity and no user interaction. Exploitation triggers a crash in the affected component, resulting in denial-of-service with high availability impact but no confidentiality or integrity effects.

Mitigation details are outlined in the Kaspersky advisory at https://securelist.com/mercedes-benz-head-unit-security-research/115218/.

Details

CWE(s): CWE-476

Affected Products

mercedes-benz

headunit ntg6 mercedes-benz user experience

≤ 2021

References

https://securelist.com/mercedes-benz-head-unit-security-research/115218/
Third Party Advisory · cve@mitre.org