CVE-2024-48984 is a critical buffer overflow vulnerability discovered in MBed OS version 6.16.0, specifically within the Bluetooth Host Controller Interface (HCI) report parsing logic. The vulnerability stems from the way the HCI parsing software dynamically determines the length of a list of Bluetooth HCI extended advertising reports by reading a byte from an input stream. It sequentially processes each report by using the length of the first report to calculate the start of the second, and so forth, while tracking the largest report length to allocate a buffer that can hold any single report. However, the implementation fails to validate that all calculated report addresses remain within the bounds of the buffer passed to the function hciEvtProcessLeExtAdvReport. This oversight can lead to a scenario where the buffer allocated for holding the reports overlaps with an out-of-bounds length field. When copying the (n-1)th report, this overlap causes the length field of the nth report to be overwritten, corrupting it. The corrupted length field is subsequently used in a memcpy operation into the newly allocated buffer, resulting in a buffer overflow. This vulnerability is classified under CWE-120 (Classic Buffer Overflow) and has a CVSS v3.1 base score of 9.8, indicating critical severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects system confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits have been reported in the wild, the flaw presents a significant risk for remote exploitation, potentially allowing attackers to execute arbitrary code or cause denial of service on affected devices running MBed OS with Bluetooth capabilities.

The impact of CVE-2024-48984 is severe for organizations deploying MBed OS-based devices with Bluetooth functionality. Successful exploitation can lead to arbitrary code execution, enabling attackers to take full control of the affected device, compromise sensitive data, or disrupt device operation causing denial of service. This is particularly critical for IoT devices used in industrial control systems, healthcare, smart home environments, and other embedded applications where device integrity and availability are paramount. The vulnerability's remote, unauthenticated nature increases the attack surface, allowing attackers to exploit devices over Bluetooth without requiring physical access or user interaction. This could facilitate lateral movement within networks or serve as an entry point for broader attacks. Given the widespread use of MBed OS in constrained embedded devices, the vulnerability could affect a large number of devices globally, potentially impacting supply chains and critical infrastructure relying on these devices. The lack of current known exploits provides a window for mitigation, but the critical severity demands immediate attention to prevent future exploitation.

To mitigate CVE-2024-48984, organizations should prioritize updating MBed OS to a patched version once available from the vendor or community. In the absence of an official patch, developers should implement strict input validation on HCI report lengths to ensure all calculated report addresses remain within buffer boundaries before copying data. Employing compiler-based security features such as stack canaries, Address Space Layout Randomization (ASLR), and Control Flow Integrity (CFI) can help reduce exploitation risk. Network-level controls to restrict unauthorized Bluetooth access, such as enforcing device pairing and authentication, can limit exposure. Monitoring Bluetooth traffic for anomalous or malformed HCI reports may provide early detection of exploitation attempts. Additionally, conducting thorough code reviews and fuzz testing on Bluetooth stack implementations can uncover similar vulnerabilities proactively. For critical deployments, consider isolating Bluetooth-enabled devices on segmented networks to contain potential compromises. Finally, maintain an incident response plan tailored to embedded device compromise scenarios to enable rapid containment and recovery.