Skip to main content

striso-control-firmware CVE-2025-28343

| EUVD-2025-209825 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-13 cve@mitre.org GHSA-v76g-8r64-4mxq
Buffer Overflow Stack Overflow
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 13:22 vuln.today
CVSS changed
May 14, 2026 - 13:22 NVD
7.5 (HIGH)
CVE Published
May 13, 2026 - 16:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 16:16 nvd
HIGH 7.5

DescriptionNVD

striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function ThreadReadButtons.

AnalysisAI

Remote denial-of-service attack against striso-control-firmware commit 54c9722 allows network attackers to crash the device through a buffer overflow in the ThreadReadButtons function, resulting in complete service unavailability. CVSS 7.5 High severity with network attack vector requiring no authentication or user interaction. EPSS and KEV data not available; no public exploit code identified at time of analysis, though technical details disclosed in GitHub issue #5 could facilitate development.

Technical ContextAI

The vulnerability exists in striso-control-firmware, the embedded control software for Striso musical instruments. CWE-121 identifies this as a stack-based buffer overflow, occurring specifically in the ThreadReadButtons function responsible for processing button input events. Stack-based overflows in embedded firmware typically result from unsafe memory operations (strcpy, sprintf, fixed-size buffers without bounds checking) when handling input data. On resource-constrained embedded devices, stack overflows readily trigger crashes or device resets due to limited stack space and lack of memory protection mechanisms common in general-purpose operating systems. The network attack vector (AV:N) suggests the button-reading thread processes data from network sources, possibly WebSocket connections, MIDI-over-network, or a custom control protocol, rather than only local hardware button presses.

RemediationAI

Check the GitHub repository https://github.com/striso/striso-control-firmware for commits after 54c9722 that address issue #5 and apply the latest firmware build incorporating the buffer overflow fix in ThreadReadButtons. Monitor issue #5 at https://github.com/striso/striso-control-firmware/issues/5 for developer responses confirming remediation commit hashes or release versions. If patched firmware is not yet available, implement network-level compensating controls: restrict network access to Striso devices using firewall rules permitting connections only from trusted control systems and musician workstations, deploy devices on isolated VLAN segments separate from general network traffic to limit attack surface, and disable any remote management interfaces if not operationally required. Note that network restrictions may limit legitimate remote control functionality for distributed music production workflows. For production music environments where availability is critical, consider deploying redundant Striso units and implementing failover procedures to maintain service continuity during potential denial-of-service incidents or firmware update windows.

Share

CVE-2025-28343 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy