CVE-2023-23301 Information

Description

The news MonkeyC operation code in CIQ API version 1.0.0 through 4.1.7 fails to check that string resources are not extending past the end of the expected sections. A malicious CIQ application could craft a string that starts near the end of a section and whose length extends past its end. Upon loading the string the GarminOS TVM component may read out-of-bounds memory.

Reference

https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23301.md