CVE-2024-8361

High

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0026 49.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset

Security Summary

CVE-2024-8361 is a vulnerability in SiWx91x devices where the SHA2/224 algorithm incorrectly returns a hash of 256 bits instead of the expected 224 bits. This discrepancy triggers a software assertion, resulting in a Denial of Service (DoS) condition. The affected component is part of the cryptographic implementation in these Silicon Labs devices.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction. A remote attacker can trigger the assertion by providing input that invokes the faulty SHA2/224 computation, causing the device to crash. If a watchdog timer is implemented, the device will restart after expiration; otherwise, recovery requires a hard reset. The issue is linked to CWE-131 (incorrect buffer size calculation) and CWE-617 (reachable assertion).

For mitigation details, refer to the Silicon Labs community advisory at https://community.silabs.com/068Vm00000I7zqo. The vulnerability was published on 2025-01-07.

Details

CWE(s): CWE-131CWE-617

References

https://community.silabs.com/068Vm00000I7zqo
product-security@silabs.com