Executive Summary

CVE-2025-68132 is an out-of-bounds read vulnerability in the DZG_GSH01 powermeter driver's SLIP CRC parser within the everest-core project. The function `is_message_crc_correct` reads the last two bytes of a message vector without checking if the vector contains at least two bytes. Malformed SLIP frames received over the serial link can produce sub-messages smaller than two bytes, causing the function to access invalid memory. This leads to undefined behavior and likely crashes the powermeter driver process, resulting in a denial of service. The vulnerability is triggered via the multi-message parsing path and was fixed by adding a size check to reject messages smaller than two bytes. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the powermeter driver process to crash when it receives malformed SLIP frames with sub-messages smaller than two bytes. An attacker controlling the serial input can reliably trigger this crash, resulting in a denial of service (DoS) condition. There is no impact on confidentiality or integrity, only availability is affected. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service in the everest-core powermeter driver process, especially when malformed SLIP frames are received over the serial link. Detection involves checking for abnormal process terminations or logs indicating out-of-bounds reads in the DZG_GSH01 SLIP parser. Since the vulnerability is triggered by malformed SLIP frames with sub-messages smaller than 2 bytes, capturing and analyzing serial traffic for such frames (e.g., frames with multiple 0xC0 delimiters and very short sub-messages) can help detect attempts to exploit this issue. Commands to capture serial traffic could include using tools like `cat /dev/ttyS*` or `screen /dev/ttyS*` to monitor serial input, or using serial protocol analyzers to filter for frames with sub-messages of length less than 2 bytes. Additionally, enabling debugging or logging in the everest-core software to capture errors in the SLIP parser may assist in detection. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the everest-core software to version 2025.12.0 or later, where the vulnerability is fixed by adding a size check in the `is_message_crc_correct` function to reject messages smaller than 2 bytes. Until the upgrade can be applied, it is recommended to implement input validation to discard SLIP frames smaller than 4 bytes earlier in the processing pipeline and reject sub-messages shorter than the CRC trailer (less than 2 bytes) before CRC validation. Additionally, restricting physical access to the serial link to prevent attackers from sending malformed SLIP frames can reduce risk. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes a low-severity denial of service by crashing the powermeter driver process via an out-of-bounds read. It does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with common standards and regulations such as GDPR or HIPAA, which primarily focus on data privacy and protection. The impact is limited to availability with low severity. [1]

Useful 0 Not Useful 0