A stack buffer overflow occurs in net/at/src/at_server.c in RT-Thread through 5.0.2.
The stack buffer overflow error (CWE-121) involves writing data outside the boundaries of a buffer allocated on the stack in the file net/at/src/at_server.c. An attacker can provide specially crafted input data through the AT server network interface, causing stack memory areas to be overwritten. The attack vector is network-based, does not require authentication or user interaction, and attack complexity is low.
An attacker can gain full control over the device — leading to confidentiality, integrity, and availability of the system (CVSS rating C:H/I:H/A:H), which in practice means the possibility of remote code execution (RCE) or device destabilization.
Apply patches available from the manufacturer according to the references. It is recommended to monitor the RT-Thread GitHub repository (issue #8288) and publications by security researchers indicated in the references to obtain current information about patches. If an update is not possible, consider disabling or network isolating the AT server component.
RT-Thread RTOS in versions up to and including 5.0.2, with the AT server component enabled (net/at/src/at_server.c).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRt Thread
APPRt-Thread≤ 5.0.2
Related vulnerabilities
A vulnerability, which was classified as critical, was found in RT-Thread up to 5.1.0. This affects the functi...
A vulnerability, which was classified as critical, has been found in RT-Thread 5.1.0. This issue affects the f...
A vulnerability was found in RT-Thread 5.1.0. It has been rated as critical. Affected by this issue is the fun...
A vulnerability classified as critical has been found in RT-Thread 5.1.0. This affects the function sys_sigpro...
A vulnerability classified as critical was found in RT-Thread 5.1.0. This vulnerability affects the function c...