I have identified a security vulnerability in dlt-daemon affecting the DLT V2 protocol parsing (dlt_daemon_control_get_log_info_v2). I am following responsible disclosure and have sent details privately to the BMW security team (cert@bmw.de) and the primary maintainer.
Vulnerability: CWE-125 Out-of-bounds Read in GET_LOG_INFO V2 message parsing
Severity: Critical (CVSS 9.1)
Affected: dlt-daemon v3.0.1 (HEAD) and prior versions with DLT V2 support
Status: Private technical details shared with cert@bmw.de — awaiting acknowledgement
I will coordinate a public disclosure timeline with maintainers.
Reporter: Feng Ning feng@innora.ai / Innora Security Research
I have identified a security vulnerability in dlt-daemon affecting the DLT V2 protocol parsing (dlt_daemon_control_get_log_info_v2). I am following responsible disclosure and have sent details privately to the BMW security team (cert@bmw.de) and the primary maintainer.
Vulnerability: CWE-125 Out-of-bounds Read in GET_LOG_INFO V2 message parsing
Severity: Critical (CVSS 9.1)
Affected: dlt-daemon v3.0.1 (HEAD) and prior versions with DLT V2 support
Status: Private technical details shared with cert@bmw.de — awaiting acknowledgement
I will coordinate a public disclosure timeline with maintainers.
Reporter: Feng Ning feng@innora.ai / Innora Security Research