CVE-2021-40526

MEDIUM

Peleton TTR01 <PTV55G - DoS

Title source: llm

Description

Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead to an Apple MFI device not being able to authenticate with the Peleton Bike

References (1)

[Third Party Advisory] https://twitter.com/ROPsicle/status/1438216078103044107?s=20

Scores

CVSS v3 4.8

EPSS 0.0081

EPSS Percentile 74.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Classification

CWE

CWE-131

Status published

Affected Products (1)

onepeloton/ttr01_firmware < ptv55g

Timeline

Published Oct 25, 2021

Tracked Since Feb 18, 2026