CVE-2024-10395

High

Published: 03 February 2025

Published

03 February 2025

Modified

29 October 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Score 0.0028 51.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

No proper validation of the length of user input in http_server_get_content_type_from_extension.

Security Summary

CVE-2024-10395 affects the Zephyr RTOS, specifically in the http_server_get_content_type_from_extension function, which lacks proper validation of the length of user input. This flaw, mapped to CWE-127, carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating high severity due to its potential for significant availability disruption alongside limited confidentiality and integrity impacts.

Remote attackers require no privileges, can exploit it over the network with low complexity and no user interaction, and achieve low-level confidentiality and integrity effects while causing high availability impact, such as denial of service through improper handling of oversized input.

The Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfww-j92m-x8fv provides details on the vulnerability and mitigation guidance.

Details

CWE(s): CWE-127

Affected Products

zephyrproject

zephyr

≤ 3.7.0

References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfww-j92m-x8fv
Patch, Vendor Advisory · vulnerabilities@zephyrproject.org
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfww-j92m-x8fv
Patch, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0