CVE-2024-80085

CVE-2024-80085: The 'Null' Hypothesis - RCE in LibString-C

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·5 min read·0 visits

Executive Summary (TL;DR)

Developers forgot that arrays start at 0. An off-by-one error in `libstring-c`'s concatenation logic permits a single byte overflow on the heap. This allows attackers to corrupt chunk metadata, leading to Remote Code Execution (RCE) in any application linking this library—which is basically half the IoT world.

A critical off-by-one vulnerability in the widely used `libstring-c` library allows remote attackers to execute arbitrary code via malformed string concatenation requests. This bug creates a classic heap overflow scenario, turning simple text processing into a gateway for complete system compromise.

Official Patches

LibString ProjectOfficial patch for CVE-2024-80085

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
12.00%
Top 15% most exploited

Affected Systems

OpenWRT (various packages)IoT Web Servers (uHTTPd forks)Embedded Linux distros utilizing libstring-c

Affected Versions Detail

Product
Affected Versions
Fixed Version
libstring-c
OpenSourceLib
< 1.4.21.4.2
AttributeDetail
CWE IDCWE-193 (Off-by-one Error)
Attack VectorNetwork (Remote)
CVSS9.8 (Critical)
ImpactRemote Code Execution (RCE)
Exploit StatusPoC Available
PrivilegesNone Required

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1203Exploitation for Client Execution
Execution
CWE-193
Off-by-one Error

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Known Exploits & Detection

GitHubPython script demonstrating heap corruption via large headers

Vulnerability Timeline

Vulnerability discovered by internal audit
2024-01-10
Vendor notified
2024-01-15
Patch released (v1.4.2)
2024-02-01
Public PoC released
2024-02-03

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.