Description
Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, when built with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler that allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices. Attackers can send a single crafted G-code command via USB serial, network interface, or malicious gcode file to write an attacker-controlled 32-bit float value past the z_values array bounds, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected products
- MarlinFirmware / Marlin0 – 2.1.2.7
- MarlinFirmware / Marlin1f255d16ec2d456454fd444494cfb338d62b0fa1 – 1f255d16ec2d456454fd444494cfb338d62b0fa1
References
- MISChttps://github.com/MarlinFirmware/Marlin/issues/28467
- PATCHhttps://github.com/MarlinFirmware/Marlin/pull/28468
- PATCHhttps://github.com/MarlinFirmware/Marlin/commit/1f255d16ec2d456454fd444494cfb338d62b0fa1
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/marlin-firmware-out-of-bounds-write-via-m421-g-code-handler