CVE-2025-24797

CRITICAL

Meshtastic Firmware < 2.6.2 - Memory Corruption

Title source: rule

Description

Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2.

Exploits (1)

nomisec WRITEUP 2 stars

by Alainx277 · poc

https://github.com/Alainx277/CVE-2025-24797

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://github.com/meshtastic/firmware/security/advisories/GHSA-33hw-xhfh-944r

Scores

CVSS v3 9.4

EPSS 0.0197

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Details

CWE

CWE-119 CWE-122

Status published

Products (1)

meshtastic/meshtastic_firmware < 2.6.2

Published Apr 15, 2025

Tracked Since Feb 18, 2026