Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.
This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.

This issue affects Advanced Software Framework: through 3.52.0.2574.


ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.
Fixes

Solution

ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.


Workaround

The issue can be mitigated by adding a check to the size variable after the call [1] to pbuf_get_at on line 127 [1]. If the size variable is not 4, then the function should cease processing and return. The lwip_dhcp_find_option function is only used to find this one option. [1] https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127

History

Fri, 29 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Mon, 12 Aug 2024 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 08 Aug 2024 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Microchip
Microchip advanced Software Framework
CPEs cpe:2.3:a:microchip:advanced_software_framework:*:*:*:*:*:*:*:*
Vendors & Products Microchip
Microchip advanced Software Framework
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 08 Aug 2024 16:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework: through 3.52.0.2574. Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework: through 3.52.0.2574. ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.

Thu, 08 Aug 2024 15:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework: through 3.52.0.2574.
Title Remote Code Execution in Advanced Software Framework DHCP server
Weaknesses CWE-120
CWE-20
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2025-08-29T20:23:53.142Z

Reserved: 2024-08-05T14:10:12.165Z

Link: CVE-2024-7490

cve-icon Vulnrichment

Updated: 2024-09-19T13:06:47.103Z

cve-icon NVD

Status : Modified

Published: 2024-08-08T15:15:19.057

Modified: 2025-08-29T21:15:35.473

Link: CVE-2024-7490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.