CVE-2025-24797 CRITICAL

CVE-2025-24797: Meshtastic incorrectly hands malformed packets leads to controlled buffer overflow

Vendor Meshtastic
Product firmware
Weakness CWE-119
Published April 14, 2025
Last update April 21, 2025

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

What the vulnerability does

01Description

Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2.

Key dates

02Disclosure timeline

April 14, 2025 CVE published
April 21, 2025 Record updated