CVE-2024-10838

An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. This may result into secret data or pointers revealing the layout of the address space to be included into a deserialized data structure, which may potentially lead to thread crashes or cause denial of service conditions.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/eclipse-cyclonedds/cyclonedds/releases/tag/0.10.5	Patch
https://github.com/eclipse-cyclonedds/cyclonedds/security/advisories/GHSA-6jj6-w25p-jc42	Vendor Advisory Exploit
https://gitlab.eclipse.org/security/cve-assignement/-/issues/46	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:cyclone_data_distribution_service:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-12 13:15

Updated : 2025-07-31 16:33

NVD link : CVE-2024-10838

Mitre link : CVE-2024-10838

CVE.ORG link : CVE-2024-10838

JSON object : View

Products Affected

eclipse

cyclone_data_distribution_service

CWE

CWE-191

Integer Underflow (Wrap or Wraparound)

{"id": "CVE-2024-10838", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-12T13:15:36.060", "references": [{"url": "https://github.com/eclipse-cyclonedds/cyclonedds/releases/tag/0.10.5", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/eclipse-cyclonedds/cyclonedds/security/advisories/GHSA-6jj6-w25p-jc42", "tags": ["Vendor Advisory", "Exploit"], "source": "[email protected]"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/46", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-191"}]}], "descriptions": [{"lang": "en", "value": "An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. This may result into secret data or pointers revealing the layout of the address space to be included into a deserialized data structure, which may potentially lead to thread crashes or cause denial of service conditions."}, {"lang": "es", "value": "Un desbordamiento de enteros durante la deserializaci\u00f3n puede permitir que cualquier usuario no autenticado lea memoria del mont\u00f3n fuera de los l\u00edmites. Esto puede generar datos o punteros secretos que revelen la disposici\u00f3n del espacio de direcciones que se incluir\u00e1 en una estructura de datos deserializada, lo que podr\u00eda provocar fallos de subprocesos o denegaciones de servicio."}], "lastModified": "2025-07-31T16:33:56.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:cyclone_data_distribution_service:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62EB0BE5-27E0-43D0-867B-498A670BE2F1", "versionEndExcluding": "0.10.5"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}