Impact
A memory corruption vulnerability exists in the sys_getaddrinfo function. The flaw allows a malicious local user to corrupt memory, potentially leading to arbitrary code execution or system instability, depending on how the corrupted memory is used. The flaw is classified as CWE‑119, a classic buffer overflow scenario.
Affected Systems
The only affected vendor is RT‑Thread and the firmware versions are 5.0.2 and earlier. All builds that include the sys_getaddrinfo implementation are vulnerable until the pull request that introduces bounds checking for ai_addr is merged or until a newer RT‑Thread release containing the patch is deployed.
Risk and Exploitability
The CVSS score of 6.8 indicates a medium severity level according to the CVSS scale, but this assessment is inferred because the original advisory does not explicitly rate severity. The attack requires local privileges and is not a remote exploitation vector. EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating that it is not currently a widely exploited flaw. However, a public exploit has been released, and the flaw remains significant for systems that run unpatched RT‑Thread where local users can execute code.
OpenCVE Enrichment