EUVD-2025-16632CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3Description
NeKernal is a free and open-source operating system stack. Version 0.0.2 has a 1-byte heap overflow in `rt_copy_memory`, which unconditionally wrote a null terminator at `dst[len]`. When `len` equals the size of the destination buffer (256 bytes), that extra `'\0'` write overruns the buffer by one byte. To avoid breaking existing callers or changing the public API, the patch in commit fb7b7f658327f659c6a6da1af151cb389c2ca4ee takes a minimal approach: it simply removes the overflow-causing line without adding bounds checks or altering the function signature.
Analysis
1-byte heap buffer overflow in NeKernal OS version 0.0.2's rt_copy_memory function, where a null terminator is unconditionally written beyond the destination buffer boundary when the copy length equals the buffer size (256 bytes). This vulnerability affects local attackers with no privilege requirements and can result in high-impact compromise of confidentiality, integrity, and availability. The patch (commit fb7b7f658327f659c6a6da1af151cb389c2ca4ee) removes the overflow-causing null terminator write; no active exploitation or public POC is currently documented, but the CVSS 8.6 score reflects significant severity.
Technical Context
NeKernal is a free and open-source operating system stack; the vulnerable component is the memory copy routine `rt_copy_memory` in version 0.0.2. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow), a memory safety flaw where writes exceed allocated heap boundaries. The root cause is a classic off-by-one error: the function writes `dst[len]` with a null terminator without verifying that `len < buffer_size`. When `len` equals the destination buffer size (256 bytes), the write at index `len` (byte 256) exceeds the 256-byte allocation (indices 0-255), corrupting the next heap object. This is particularly dangerous in OS kernel context where heap corruption can lead to privilege escalation or code execution. The patch takes a minimal approach by removing the null-terminator line (avoiding API changes) rather than adding explicit bounds checks.
Affected Products
NeKernal operating system stack, version 0.0.2. No CPE string was provided in the source data, but affected deployments would be identified by: Product=NeKernal, Version=0.0.2, Component=kernel memory management (rt_copy_memory function). The vulnerability does not affect version 0.0.3 or later, which includes the patch commit fb7b7f658327f659c6a6da1af151cb389c2ca4ee. As this is an open-source project, affected users are primarily developers or experimental deployments using the 0.0.2 release from the official NeKernal repository.
Remediation
1. **Upgrade NeKernal:** Update from version 0.0.2 to version 0.0.3 or later, which includes the fix commit fb7b7f658327f659c6a6da1af151cb389c2ca4ee that removes the unconditional null-terminator write. 2. **Verify Patch:** Confirm the patch by checking that the null-terminator line in `rt_copy_memory` has been removed and no regression has occurred in callers. 3. **Workaround:** If immediate upgrade is infeasible, implement application-level validation to ensure copy operations never pass `len` equal to the destination buffer size; however, this is a kernel-level fix and workarounds are limited for OS stack vulnerabilities. 4. **Code Review:** Audit other memory copy functions in NeKernal for similar off-by-one errors (CWE-122 family patterns). Official patch link: https://github.com/NeKernal/NeKernal/commit/fb7b7f658327f659c6a6da1af151cb389c2ca4ee (inferred repository structure for open-source project).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today