CVE-2024-10838
Published: 12 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Security Summary
CVE-2024-10838, published on 2025-03-12, is an integer underflow vulnerability (CWE-191) affecting Eclipse CycloneDDS. The flaw occurs during deserialization and enables out-of-bounds reads of heap memory, potentially incorporating secret data or pointers that reveal the address space layout into deserialized data structures.
Any unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). Successful exploitation may leak sensitive information via confidentiality impacts or trigger thread crashes and denial-of-service conditions through availability impacts.
Advisories and patches are detailed in Eclipse CycloneDDS resources, including the GitHub security advisory (GHSA-6jj6-w25p-jc42) and release tag 0.10.5, with CVE assignment tracked at Eclipse GitLab issue 46. Security practitioners should review these for mitigation guidance, such as updating to the patched version.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated deserialization flaw enables OOB heap reads leaking secret data (credential access via exploitation) and crashes (DoS); directly maps to T1190 for initial access on public-facing services and T1212 for credential access.