A classic format string bug (CWE-134) in the undocumented "prompt" command of Interpeak IPCOMShell on Green Hills INTEGRITY RTOS 5.0.4. The vulnerability allows:

Memory leaks via %p/%x/%s specifiers (defeating ASLR) Arbitrary memory writes via %n Potential control-flow hijacking in the TELNET shell

This is a 2019 CVE that was part of a larger batch of issues in the Interpeak stack used in safety-critical systems. The report includes a working PoC demonstrating the full leak → write chain in a simulated avionics ground maintenance environment. Green Hills INTEGRITY is a high-assurance separation kernel widely used in aerospace, defense, and safety-critical applications. Would be interesting to hear from people who have worked with INTEGRITY or similar RTOSes on:

How common it still is to expose TELNET/maintenance interfaces during ground testing? Modern mitigation practices (partitioning, disabled networking in critical partitions, etc.)

No remote attack surface in normal flight configuration is claimed — only ground maintenance scenario.