CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 1CVE-2025-24797 – Meshtastic incorrectly hands malformed packets leads to controlled buffer overflow
https://notcve.org/view.php?id=CVE-2025-24797
14 Apr 2025 — Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2. A fault in the handling of mesh packets containing invalid pr... • https://packetstorm.news/files/id/190552 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21608 – Forged packets over MQTT can show up in direct messages in Meshtastic firmware
https://notcve.org/view.php?id=CVE-2025-21608
18 Feb 2025 — Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/meshtastic/firmware/security/advisories/GHSA-c967-qc39-3hf5 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51500 – Failure to check for packets from the broadcast address allows potential DDoS amplification attack in Meshtastic firmware
https://notcve.org/view.php?id=CVE-2024-51500
04 Nov 2024 — Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does not check for packets claiming to be from the special broadcast address (0xFFFFFFFF) which could result in unexpected behavior and potential for DDoS attacks on the network. A malicious actor could craft a packet to be from that address which would result in an amplification of this one message into every node on the network sending multiple messages. Such an attack could result in degraded network performance ... • https://github.com/meshtastic/firmware/security/advisories/GHSA-xfmq-5j3j-vgv8 • CWE-138: Improper Neutralization of Special Elements CWE-159: Improper Handling of Invalid Use of Special Elements •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47079 – Unauthorized usage of remote hardware module because of missing channel verification
https://notcve.org/view.php?id=CVE-2024-47079
07 Oct 2024 — Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to ensure a remote hardware control message was received should be considered valid. This issue has been addressed in release version 2.5.1. All users are advised to upgrade. • https://github.com/meshtastic/firmware/security/advisories/GHSA-h8mh-p4r3-4jv7 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47078 – Meshtastic firmware Authentication/Authorization Bypass via MQTT
https://notcve.org/view.php?id=CVE-2024-47078
25 Sep 2024 — Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch. • https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45038 – Device crash via malformed MQTT packet when downlink is enabled in Meshtastic device firmware
https://notcve.org/view.php?id=CVE-2024-45038
27 Aug 2024 — Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent st... • https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2003-1320
https://notcve.org/view.php?id=CVE-2003-1320
31 Dec 2003 — SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload. • http://www.kb.cert.org/vuls/id/287771 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2001-0888
https://notcve.org/view.php?id=CVE-2001-0888
21 Dec 2001 — Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers to cause a denial of service via a SNMP request with (1) a community string other than "public" or (2) an unknown OID, which causes the WAP to deny subsequent SNMP requests. El Wireless Acces Point (WAP) Atmel Firmware 1.3 permite a atacantes remotos causar una denegación de servicio mediante una petición SNMP con una cadena de comunidad distinta de "public", oun OID (identificador de objeto) desconocido lo que hace que el WAP deniege pe... • http://marc.info/?l=bugtraq&m=100895903202798&w=2 •