OpenWrt ubusd Heap Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A heap buffer overflow vulnerability has been identified in the OpenWrt ubus daemon's event registration parsing code, in versions prior to 24.10.4. This vulnerability allows an attacker to manipulate memory and potentially execute arbitrary code within the context of the ubus daemon. The issue arises because the vulnerable code is executed before access control list (ACL) checks are applied, enabling all ubus clients to send messages that exploit this flaw. Additionally, the crafted subscription can bypass the listen ACL, further exacerbating the issue.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, allowing for memory manipulation and the potential execution of arbitrary code in the context of the ubus daemon. Furthermore, the vulnerability causes a bypass of the listen ACL, enabling unauthorized event subscriptions.

Reproduction

The vulnerability can be reproduced by sending a crafted event registration message to the ubus daemon. This message should be designed to exploit the buffer overflow by overwriting the memory heap, particularly targeting the event registration parsing code. Since the vulnerability exists in all ubus clients, any client can be used to send the malicious message. The absence of proper length checks in the event pattern allows for the exploitation to occur.

Remediation

Users can upgrade to OpenWrt version 24.10.4 or later to address this vulnerability. This includes snapshot builds released after October 18, 2025. For those on older OpenWrt versions like 23.05 or 22.03, which are no longer supported, an upgrade to a version that receives security updates is recommended.