CVE-2024-56189 - Out-of-Bounds Read Leads to Information Leak in SAEMM_RadioMessageCodec – Full Analysis and Proof-of-Concept

A new vulnerability, CVE-2024-56189, has been discovered in the SAEMM_RadioMessageCodec.c component, specifically in the SAEMM_DiscloseMsId function. This flaw allows a remote attacker, after authentication, to read sensitive data from out-of-bounds memory locations, leading to potential information disclosure. No elevated privileges or user interaction are required to exploit this issue, making it a critical bug to understand and mitigate.

This detailed post breaks down the vulnerability, offers a look at the vulnerable code, and outlines how it can be exploited with a simple proof-of-concept. Exclusive analysis and references are included to help engineers secure their deployments.

What is SAEMM_RadioMessageCodec?

SAEMM_RadioMessageCodec is a significant part of certain communication systems. It is used to encode and decode radio messages, and it typically handles sensitive identifiers, like mobile subscriber IDs (MsId). Any weaknesses in how these IDs are processed could lead to leaks of personally identifiable information—exactly what happens with CVE-2024-56189.

Where is the Problem?

The vulnerability occurs in the SAEMM_DiscloseMsId function. The function reads an array without properly checking the upper size limits before accessing its elements.

Here is a representative pseudocode snippet of the vulnerable function

// Vulnerable code snippet
int SAEMM_DiscloseMsId(const uint8_t *data, size_t data_len) {
    int idx = data[];      // Index taken from attacker-controlled data
    uint8_t msid = data[1];

    // Vulnerability: No check if idx < data_len
    uint8_t value = data[idx]; // Out-of-bounds read possible

    // Some processing with 'value'...
    processMsId(value, msid);

    return ;
}

Issue:
There is no bounds check to ensure that the idx value—controlled by attacker input—is within the valid range. If an attacker sends crafted data such that idx is beyond data_len, the code reads beyond the allocated buffer.

Could leak private or sensitive data (like keys, session tokens, or user identifiers).

- Exploitation happens *post*-authentication, so the attacker must be authenticated (but no special privileges are required).

Proof-of-Concept Exploit

To show how simple this is to exploit, consider the following proof-of-concept.

Imagine an attacker sends the following data

// Example attacker payload
uint8_t payload[2] = {x20, x01}; // idx = 32 (x20), msid = x01
size_t payload_len = 2;

SAEMM_DiscloseMsId(payload, payload_len);

Since payload only has two bytes, but idx is set to 32, accessing data[32] will read garbage—i.e., out-of-bounds memory.

Step 2: Extract Sensitive Data

If the attacker repeats this, incrementing the index (idx), they can dump the contents in memory after the buffer, leaking sensitive artifacts. In a more complex application, these could include leftover encryption keys, session tokens, or details of other users.

References

- National Vulnerability Database - CVE-2024-56189 entry *(will be updated as analysis continues)*
- MITRE CVE Basis for CVE-2024-56189
- General Guide: Out-of-bounds read
- Similar Issues: Google Project Zero's analysis of recent OOB reads

How to Fix

It’s crucial to validate all input—especially attacker-supplied indices. In this case, the vulnerable code should add a simple condition:

if (idx < data_len) {
    uint8_t value = data[idx];
    // proceed...
} else {
    // handle error, reject input
}

Applying bounds checks across the codebase is the recommended mitigation.

Conclusion

CVE-2024-56189 highlights the classic dangers of out-of-bounds reads in code that handles critical identifiers. Exploiting this bug is alarmingly easy for authenticated attackers, yet the solution—validating input—is straightforward. Engineers using or integrating SAEMM_RadioMessageCodec should update their software or contact their vendor for a patch immediately. Information disclosures like this can have wide-reaching impact, especially in communication or telecom systems.

Bookmark this post for updates and further research as more information emerges!

*(Feel free to share this analysis but please provide attribution. Stay secure!)*

Timeline

Published on: 09/04/2025 10:42:26 UTC
Last modified on: 09/26/2025 17:19:42 UTC