[threadx-dev] Three CVEs for ThreadX published

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[threadx-dev] Three CVEs for ThreadX published

From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Mar 2024 17:12:09 +0100
Delivered-to: threadx-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/threadx-dev/>
List-help: <mailto:threadx-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/threadx-dev>, <mailto:threadx-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/threadx-dev>, <mailto:threadx-dev-request@eclipse.org?subject=unsubscribe>

Dear all,

We have just published three CVEs for ThreadX (various modules)

CVE-2024-2212 HIGH Integer wraparounds, under-allocations, and heap buffer overflows in Eclipse ThreadX xQueueCreate() and xQueueCreate Set()

CVE-2024-2214 HIGH Missing array size check in _Mtxinit() in the Xtensa port

CVE-2024-2452 HIGH Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo __portable_aligned_alloc()

All have been fixed in the 6.4.0 release.

Please note that the EF Security Team typically does not send such messages as the Project team decides on how to communicate, but those issues come from the backlog and the project is in the migration phase. So, I do send it out so that everyone is aware.

Kind regards,

Marta Rybczynska

Technical Program Manager, Security Team, Eclipse Foundation

Prev by Date: [threadx-dev] ThreadX version 7
Next by Date: Re: [threadx-dev] ThreadX version 7
Previous by thread: [threadx-dev] ThreadX version 7
Next by thread: Re: [threadx-dev] threadx for functional safety applications
Index(es):
- Date
- Thread

Breadcrumbs