CVE-2023-34399

Critical

Published: 13 February 2025

Published

13 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Some values of this table are serialized archive according boost library. The version of boost library contains vulnerability integer overflow.

Security Summary

CVE-2023-34399 is an integer overflow vulnerability (CWE-190) in a version of the Boost library used for serialization in the Mercedes-Benz head-unit NTG6. This infotainment system component includes functions to import or export profile settings over USB, where certain table values are handled as serialized archives processed by the vulnerable Boost library. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability can be exploited by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) required. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data (C:H), modification of system integrity (I:H), and disruption of availability (A:H).

Mitigation guidance is detailed in the associated security research advisory at https://securelist.com/mercedes-benz-head-unit-security-research/115218/.

Details

CWE(s): CWE-190

Affected Products

mercedes-benz

headunit ntg6 mercedes-benz user experience

≤ 2021

References

https://securelist.com/mercedes-benz-head-unit-security-research/115218/
Third Party Advisory · cve@mitre.org