CVE-2023-28904

Published: Jun 28, 2025Modified: Jun 17, 2026Deferred

5.2

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Exploitability: 0.9 / Impact: 4.2

Source: cve@asrg.io (Secondary)

Description

A logic flaw leading to a RAM buffer overflow in the bootloader component of the MIB3 infotainment unit allows an attacker with physical access to the MIB3 ECU to bypass firmware signature verification and run arbitrary code in the infotainment system at boot process.

Related CWEs

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (4)

https://asrg.io/security-advisories/vulnerabilities-in-volkswagen-mib3-infotainment-part-2/

Source: cve@asrg.io

https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf

Source: cve@asrg.io

https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-vw-mib3-infotainment-2

Source: cve@asrg.io

https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.