CVE-2024-57261

High

Published: 19 February 2025

Published

19 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 6.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

In barebox before 2025.01.0, request2size in common/dlmalloc.c has an integer overflow, a related issue to CVE-2024-57258.

Security Summary

CVE-2024-57261 is an integer overflow vulnerability in the request2size function within common/dlmalloc.c in barebox versions before 2025.01.0. This issue, related to CVE-2024-57258, is classified under CWE-190 (Integer Overflow or Wraparound) and carries a CVSS v3.1 base score of 7.1 (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires physical access to the affected device and a high-complexity attack, with no privileges or user interaction needed. A successful attack can achieve high impacts on confidentiality, integrity, and availability, with a changed scope.

Mitigation is provided in barebox 2025.01.0. The relevant fixing commit is available at https://git.pengutronix.de/cgit/barebox/commit/?id=7cf25e0733f08f68d1bf0ca0c3cf6e2dfe51bd3c, and additional details appear in the barebox mailing list at https://lists.infradead.org/pipermail/barebox/2024-November/048631.html.

Details

CWE(s): CWE-190

References

https://git.pengutronix.de/cgit/barebox/commit/?id=7cf25e0733f08f68d1bf0ca0c3cf6e2dfe51bd3c
cve@mitre.org
https://lists.infradead.org/pipermail/barebox/2024-November/048631.html
cve@mitre.org