Skip Navigation

May 3, 2021 |

Multiple vulnerabilities in IoT and OT devices require patching

Loading table of contents...

On 29 April 2021, Microsoft released a report on 25 critical memory allocation flaws in internet-of-things (IoT) and operational technology (OT) devices that are commonly connected to industrial, medical, and enterprise networks. 


  • Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a list of affected devices and recommendations on applying the security patches.
  • The flaws, collectively dubbed "BadAlloc", exist in standard functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
  • The memory allocation implementations in the affected devices are missing proper input validations. This could allow threat actors to perform a heap overflow, execute malicious code or cause a denial-of-service (DoS) condition.
  • The most severe flaw has been assigned a CVSS v3 score of 9.8.

Why it's important

  • The listed devices serve as an easy entry to a network, if left unpatched and/or poorly implemented.
  • We recommend applying the vendor patches and reviewing CISA mitigations.
  • The fixes are currently in progress by the affected vendors, including Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.
  • Check the CISA advisory for a complete list of vulnerable products, as well as the patches currently available.