CVE-2024-47249

Improper Validation of Array Index vulnerability in Apache NimBLE. Lack of input validation for HCI events from controller could result in out-of-bound memory corruption and crash. This issue requires broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.7.0. Users are recommended to upgrade to version 1.8.0, which fixes the issue.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/mynewt-nimble/commit/f39330866a85fa4de49246e9d21334bc8d14f0a1	Patch
https://lists.apache.org/thread/7ckxw6481dp68ons627pjcb27c75n0mq	Vendor Advisory Mailing List
http://www.openwall.com/lists/oss-security/2024/11/26/3	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-11-26 12:15

Updated : 2025-07-08 14:17

NVD link : CVE-2024-47249

Mitre link : CVE-2024-47249

CVE.ORG link : CVE-2024-47249

JSON object : View

Products Affected

apache

nimble

CWE

CWE-129

Improper Validation of Array Index

{"id": "CVE-2024-47249", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}]}, "published": "2024-11-26T12:15:19.123", "references": [{"url": "https://github.com/apache/mynewt-nimble/commit/f39330866a85fa4de49246e9d21334bc8d14f0a1", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/7ckxw6481dp68ons627pjcb27c75n0mq", "tags": ["Vendor Advisory", "Mailing List"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2024/11/26/3", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "Improper Validation of Array Index vulnerability in Apache NimBLE.\n\nLack of input validation for HCI events from controller could result in out-of-bound memory corruption and crash.\nThis issue requires broken or bogus Bluetooth controller and thus severity is considered low.\nThis issue affects Apache NimBLE: through 1.7.0.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n incorrecta del \u00edndice de matriz en Apache NimBLE. La falta de validaci\u00f3n de entrada para eventos HCI del controlador podr\u00eda provocar una corrupci\u00f3n de la memoria fuera de los l\u00edmites y un bloqueo. Este problema requiere un controlador Bluetooth da\u00f1ado o falso y, por lo tanto, se considera de baja gravedad. Este problema afecta a Apache NimBLE: hasta la versi\u00f3n 1.7.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.8.0, que soluciona el problema."}], "lastModified": "2025-07-08T14:17:12.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71BB8957-7DC2-4E02-B560-1526E9758F46", "versionEndExcluding": "1.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}