Vulnerability Description
FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled (i.e. `configENABLE_MPU` set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Freertos | < 10.6.2 |
Related Weaknesses (CWE)
References
- https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.6.2Release Notes
- https://github.com/FreeRTOS/FreeRTOS-Kernel/security/advisories/GHSA-xcv7-v92w-gTechnical DescriptionVendor Advisory
- https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.6.2Release Notes
- https://github.com/FreeRTOS/FreeRTOS-Kernel/security/advisories/GHSA-xcv7-v92w-gTechnical DescriptionVendor Advisory
FAQ
What is CVE-2024-28115?
CVE-2024-28115 is a vulnerability with a CVSS score of 8.8 (HIGH). FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming te...
How severe is CVE-2024-28115?
CVE-2024-28115 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-28115?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Freertos.