Improper URL Handling in SNMP Update Mechanism Leads to Memory Corruption in KerOS 4.3.3 and Below
Improper URL Handling in SNMP Update Mechanism Leads to Memory Corruption in KerOS 4.3.3 and Below
Improper URL Handling in SNMP Update Mechanism Leads to Memory Corruption in KerOS 4.3.3 and Below
| CVE ID | CVE-2024-32389 |
| CVE Link | https://nvd.nist.gov/vuln/detail/CVE-2024-32389 |
| Vendor | Kerlink |
| Affected Product & Version | KerOS ≤ 4.3.3 |
| Vulnerability Type | CWE-20 – Improper Input Validation |
| CVSS Base Score / CVSS Vector | NVD: Awaiting analysis BDO: 3.5 Low / CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| Author | Martin Weißbach |
| Date | 2026-05-27 |
CVE Details
Description:
The SNMP update mechanism in KerOS 4.3.3 and below improperly handles specially crafted URLs supplied for update packages, which may result in memory corruption and limited information disclosure.
Remediation:
KerOS4 and KerOS5 should no longer be used, as they are considered end of life. Instead, the most recent version of KerOS 6 should be used.
References:
Timeline
2024-03-19: Vulnerability reported to Kerlink
2024-03-23: Kerlink informed us that the issues were under analysis
2024-03-29: Vendor confirmed the vulnerabilities and provided an update on the current status of the analysis, including potential fixes
2024-04-08: We provided feedback on the fixes
2024-04-28: Vendor provided an update on the status of the fixes
2024-06-11: We reported additional vulnerabilities; ongoing communication regarding these issues
2025-08-05: We informed Kerlink of our intention to release the CVEs
2025-09-06: Vendor informed us that KerOS4 is EOL, KerOS will only be maintained for critical vulnerabilities tills end of 2025 and that this vulnerability does not affect KerOS6
2026-04-01: Coordinated public disclosure of this CVE was agreed upon with the vendor
2026-05-27: CVE published

