CVE-2024-48983
Description
An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet data by reading 2 bytes from the packet header. A buffer is then allocated to contain the entire packet, the size of which is calculated as the length of the packet body determined earlier plus the header length. WsfMsgAlloc then increments this again by sizeof(wsfMsg_t). This may cause an integer overflow that results in the buffer being significantly too small to contain the entire packet. This may cause a buffer overflow of up to 65 KB . This bug is trivial to exploit for a denial of service but can generally not be exploited further because the exploitable buffer is dynamically allocated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in MBed OS 6.16.0 HCI packet processing leads to undersized heap buffer and potential denial-of-service.
Vulnerability
In MBed OS version 6.16.0, the Cordio BLE stack's HCI packet processing code, specifically in wsf_msg.c, contains an integer overflow vulnerability. When processing HCI packets, the software reads a 2-byte length field from the packet header to dynamically determine the payload size. It then allocates a buffer for the entire packet by adding this payload length to the header size, and WsfMsgAlloc additionally increments by sizeof(wsfMsg_t). The arithmetic can overflow a 16-bit or 32-bit integer, causing a significantly smaller buffer than needed. This occurs in the function referenced in [1]. The vulnerability affects the connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c file.
Exploitation
An attacker with the ability to send crafted HCI packets over Bluetooth to a device running the vulnerable MBed OS can exploit this bug. No authentication is required; the attacker only needs to be within Bluetooth range and able to send a sequence of malicious HCI packets. The integer overflow causes the allocation to succeed with a small buffer, after which the incoming packet data overflows this undersized buffer by up to 65 KB. The exploitation sequence is trivial: send an HCI packet with a crafted length field that triggers the integer overflow, leading to a heap buffer overflow.
Impact
Successful exploitation results in a heap buffer overflow of up to 65 KB. The primary impact is denial-of-service (DoS) due to memory corruption. The description notes that the exploitable buffer is dynamically allocated, making further exploitation (such as remote code execution) unlikely, but not theoretically impossible. The CVE describes the impact as trivial to exploit for a DoS.
Mitigation
A fix has been implemented in pull request #388 on the mbed-ce/mbed-os repository, titled "Cordio BLE: Fix integer overflows (CVE-2024-48983)" [2]. The fix addresses the integer overflow by adding proper overflow checks before allocation. Users should update to the latest patched version (after November 19, 2024). No workaround is documented. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MBed OS/MBed OSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.