CVE-2024-80085
9.812.00%
CVE-2024-80085: The 'Null' Hypothesis - RCE in LibString-C
Alon Barad
Software EngineerJan 2, 2026·5 min read·2 visits
PoC Available
Executive Summary (TL;DR)
Developers forgot that arrays start at 0. An off-by-one error in `libstring-c`'s concatenation logic permits a single byte overflow on the heap. This allows attackers to corrupt chunk metadata, leading to Remote Code Execution (RCE) in any application linking this library—which is basically half the IoT world.
A critical off-by-one vulnerability in the widely used `libstring-c` library allows remote attackers to execute arbitrary code via malformed string concatenation requests. This bug creates a classic heap overflow scenario, turning simple text processing into a gateway for complete system compromise.
Official Patches
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
12.00%
Top 15% most exploited
Affected Systems
OpenWRT (various packages)IoT Web Servers (uHTTPd forks)Embedded Linux distros utilizing libstring-c
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
libstring-c OpenSourceLib | < 1.4.2 | 1.4.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-193 (Off-by-one Error) |
| Attack Vector | Network (Remote) |
| CVSS | 9.8 (Critical) |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | PoC Available |
| Privileges | None Required |
MITRE ATT&CK Mapping
CWE-193
Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered by internal audit
2024-01-10
Vendor notified
2024-01-15
Patch released (v1.4.2)
2024-02-01
Public PoC released
2024-02-03