CVE-2022-39829

Vulnerability

A NULL pointer dereference vulnerability exists in the aes256_encrypt function in Samsung mTower through version 0.3.0. The function calls EVP_CIPHER_CTX_new() without checking its return value [1][2]. If this call fails (e.g., due to memory exhaustion), a NULL pointer is passed to subsequent OpenSSL cipher operations, leading to a crash or undefined behavior.

Exploitation

An attacker does not need any special network position or authentication; the vulnerability is triggered when the code path calling aes256_encrypt is executed and memory allocation fails. This is a local condition, but the attacker may be able to force memory exhaustion or trigger the vulnerable path through crafted inputs that cause EVP_CIPHER_CTX_new() to fail [2].

Impact

Successful exploitation results in a NULL pointer dereference that causes a denial of service (DoS) via program crash. No code execution or data disclosure is documented. The impact is limited to availability loss.

Mitigation

No fix has been officially released as of the publication date. The vendor was notified via the issue tracker [2], but no patch commit exists in the repository at version 0.3.0. Users should monitor the repository for updates. As a workaround, adding a check for the return value of EVP_CIPHER_CTX_new() before using the context pointer can prevent the dereference.