CVE-2024-41338
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/02/2025
Last modified:
03/06/2025
Description
A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:draytek:vigor165_firmware:*:*:*:*:*:*:*:* | 4.2.6 (excluding) | |
| cpe:2.3:h:draytek:vigor165:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigor166_firmware:*:*:*:*:*:*:*:* | 4.2.6 (excluding) | |
| cpe:2.3:h:draytek:vigor166:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigor2620_firmware:*:*:*:*:*:*:*:* | 3.9.8.8 (excluding) | |
| cpe:2.3:h:draytek:vigor2620:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigorlte200_firmware:*:*:*:*:*:*:*:* | 3.9.8.8 (excluding) | |
| cpe:2.3:h:draytek:vigorlte200:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigor2860_firmware:*:*:*:*:*:*:*:* | 3.9.7 (excluding) | |
| cpe:2.3:h:draytek:vigor2860:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigor2925_firmware:*:*:*:*:*:*:*:* | 3.9.7 (excluding) | |
| cpe:2.3:h:draytek:vigor2925:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigor2862_firmware:*:*:*:*:*:*:*:* | 3.9.9.4 (excluding) | |
| cpe:2.3:h:draytek:vigor2862:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:draytek:vigor2926_firmware:*:*:*:*:*:*:*:* | 3.9.9.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page