CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13916
https://notcve.org/view.php?id=CVE-2019-13916
An issue was discovered in Cypress (formerly Broadcom) WICED Studio 6.2 CYW20735B1 and CYW20819A1. As a Bluetooth Low Energy (BLE) packet is received, it is copied into a Heap (ThreadX Block) buffer. The buffer allocated in dhmulp_getRxBuffer is four bytes too small to hold the maximum of 255 bytes plus headers. It is possible to corrupt a pointer in the linked list holding the free buffers of the g_mm_BLEDeviceToHostPool Block pool. This pointer can be fully controlled by overflowing with 3 bytes of packet data and the first byte of the packet CRC checksum. • https://community.cypress.com/thread/53681 https://github.com/seemoo-lab/frankenstein/blob/master/doc/CVE_2019_13916.md • CWE-787: Out-of-bounds Write •