Primary

Context

Mercedes-Benz NTG6 Head Unit Boost Library Vulnerability Leading to Null Pointer Dereference

Vulnerability

A vulnerability exists in the Mercedes-Benz NTG6 head unit, specifically within the user profile import and export functionality over USB. This issue arises from the use of a serialized archive format compatible with the Boost library, which contains a known vulnerability allowing for a null pointer dereference.

Impact

Exploitation of this vulnerability causes the 'UserData' service to crash during the import of profile data, freezing the system until a hard reset of the Electronic Control Unit (ECU) is performed.

Reproduction

The vulnerability can be reproduced by exporting user profile data to a USB drive, which includes files that, when decoded, exploit a heap buffer overflow. This crafted data can then be imported back into the head unit, triggering the vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

2.5

exploitability

4.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

2.5

exploitability

4.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mercedes-Benz NTG6 Head Unit Boost Library Vulnerability Leading to Null Pointer Dereference

Vulnerability

Impact

Reproduction

Affected Products

Mercedes-Benz NTG6

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating