CVE-2022-24936
HIGHSilicon Labs Gecko Bootloader < 4.0.1 - Out-of-Bounds Write in GBL Parser
Title source: llmDescription
Out-of-Bounds error in GBL parser in Silicon Labs Gecko Bootloader version 4.0.1 and earlier allows attacker to overwrite flash Sign key and OTA decryption key via malicious bootloader upgrade.
References (2)
Core 2
Core References
Permissions Required, Vendor Advisory vendor-advisory
https://community.silabs.com/sfc/servlet.shepherd/document/download/0698Y00000Gdop4QAB?operationContext=S1
Exploit, Third Party Advisory patch
https://github.com/SiliconLabs/gecko_sdk/blame/2e82050dc8823c9fe0e8908c1b2666fb83056230/platform/bootloader/core/btl_bootload.c
Scores
CVSS v3
8.3
EPSS
0.0080
EPSS Percentile
52.1%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-787
Status
published
Products (1)
silabs/gecko_bootloader
< 4.0.1
Published
Nov 02, 2022
Tracked Since
Feb 18, 2026