VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 20, 2024· Updated Nov 25, 2024

CVE-2024-48984

CVE-2024-48984

Description

An issue was discovered in MBed OS 6.16.0. When parsing hci reports, the hci parsing software dynamically determines the length of a list of reports by reading a byte from an input stream. It then fetches the length of the first report, uses it to calculate the beginning of the second report, etc. In doing this, it tracks the largest report so it can later allocate a buffer that fits every individual report (but only one at a time). It does not, however, validate that these addresses are all contained within the buffer passed to hciEvtProcessLeExtAdvReport. It is then possible, though unlikely, that the buffer designated to hold the reports is allocated in such a way that one of these out-of-bounds length fields is contained within the new buffer. When the (n-1)th report is copied, it overwrites the length field of the nth report. This now corrupted length field is then used for a memcpy into the new buffer, which may lead to a buffer overflow.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MBed OS 6.16.0 BLE HCI event parser has an out-of-bounds read that can lead to heap buffer overflow when processing crafted extended advertising reports.

Vulnerability

In MBed OS 6.16.0, the function hciEvtProcessLeExtAdvReport in hci_evt.c [1] parses HCI LE Extended Advertising Report events. The parser dynamically determines the number of reports by reading a byte from the input stream. It then iterates through reports, tracking the largest report length to allocate a buffer that fits each individual report. However, it does not validate that the addresses of subsequent report length fields are within the original input buffer. This allows an out-of-bounds read of the length field for the nth report if the previous report's data extends beyond the buffer boundary.

Exploitation

An attacker needs to send a crafted BLE advertising packet to a device running MBed OS 6.16.0 with BLE enabled. The attacker must be within radio range and able to transmit HCI events (e.g., via a malicious BLE peripheral). The parsing logic reads report lengths from memory that may be out-of-bounds. If the allocated buffer for reports happens to overlap with the out-of-bounds location, the length field of the nth report can be overwritten when copying the (n-1)th report. This corrupted length is then used in a memcpy into the new buffer, potentially causing a heap buffer overflow.

Impact

Successful exploitation could lead to heap memory corruption, potentially allowing an attacker to achieve arbitrary code execution or cause a denial of service. The impact is limited by the need for precise heap layout conditions, but the vulnerability is considered serious due to the possibility of remote code execution over BLE.

Mitigation

The issue is fixed in pull request #387 [2], which adds bounds checking to ensure all report length fields are within the input buffer. Users should update to a patched version of MBed OS (the fix was merged on 2024-11-19). No workaround is available; updating is recommended. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.

References
  1. mbed-os/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c at 54e8693ef4ff7e025018094f290a1d5cf380941f · mbed-ce/mbed-os
  2. Cordio BLE: fix OOB read in event processing (CVE-2024-48984) by Diff-fusion · Pull Request #387 · mbed-ce/mbed-os

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • MBed OS/MBed OSdescription
  • Arm/Mbed OSllm-fuzzy
    Range: = 6.16.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.