CPATH-2026-0015 · SMART GLASSES AR

HoloLens Device Portal pairing-API unauthenticated DoS (CVE-2024-57972)

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths CRITICAL Dominant consequence DEVICE_AVAILABILITY Physical/safety · Evidence EV:2 (report-backed) · Liveness PATCH_AVAILABLE

CPATH ID	`CPATH-2026-0015`
CVE(s)	CVE-2024-57972
Device / class	HoloLens Device Portal pairing-API unauthenticated DoS (CVE-2024-57972) (SMART GLASSES AR)
Vendor	Microsoft
Dominant consequence	`DEVICE_AVAILABILITY` (Physical/safety)
Paths verdict	CRITICAL (worst of 1 path)
Published baseline	v3.1 6.5 MEDIUM `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` · MITRE via NVD
Baseline relationship	▼ Paths higher
Consequence dimension(s)	#1 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

Physical/safety

`DEVICE_AVAILABILITY`

CRITICAL

Reachability RE:4

Complexity EC:4

Consequence DEVICE_AVAILABILITY

Scale SR:2 / SX:3

Verdict CRITICAL

Reachability 4

Complexity 4

Exposure 4

Physical / safety 2

Data / perception 0

Authority 0

Chainability 1

Reuse scale 2

Execution scale 3

Recovery 1

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:4/EC:4/EX:4/PH:2/DP:0/AT:0/CH:1/SR:2/SX:3/OR:1/EV:2/LS:PATCH_AVAILABLE

Assessment

CFSE Consequence Paths assesses HoloLens Device Portal pairing-API unauthenticated DoS (CVE-2024-57972) at CRITICAL — the worst of 1 risk path (safety). The dominant consequence is denial of a device function.

Vulnerability

HoloLens Device Portal pairing-API unauthenticated DoS (CVE-2024-57972). Reported attack vector: NETWORK (HTTP to Device Portal pairing API), no auth, no user interaction.

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`DEVICE_AVAILABILITY` → CRITICAL

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:4/EC:4/EX:4/PH:2/DP:0/AT:0/CH:1/SR:2/SX:3/OR:1/EV:2/LS:PATCH_AVAILABLE

Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=ELEVATED · AT=ELEVATED → base CRITICAL → assessed CRITICAL.

Unauthenticated HTTP flood of the Device Portal pairing API exhausts resources and renders the HoloLens unresponsive until the flood stops or the device reboots. RE:4 network-reachable, no auth, no user interaction (gated only by whether Device Portal is enabled/reachable, but per rule position is internet/default-exposed-style network reachability). EC:4 trivial single-vector commodity flood. AT:0 no privilege/code-execution/authority gain, pure resource exhaustion. PH:2 availability disruption of head-worn AR overlay mid-use is a usability/safety nuisance but no actuation, wrong therapy, or persistent harm; device recovers on reboot - not credible injury so not PH:3/4. DP:0 no confidentiality/integrity impact. CH:1 availability loss is not a reusable cross-domain authority bridge. SR:2 the technique (no per-device secret) is reusable across the device class but no shared key/credential/signing-root is captured (not SR:4). SX:3 a script can sweep many reachable HoloLens devices deployment-wide, but each requires a reachable network position and effect is transient per device - not true fleet-scale cloud/supply-chain remote (SX:4). OR:1 recovery is a simple reboot / stop-the-flood, no fleet reprovision or key rotation needed; patch available. EV:2 report-backed (CVE advisory, not independently reproduced here). LS PATCH_AVAILABLE.
boundary_crossing — true: crosses network->device(app/service)->physical-use boundary. No actuation/perception feeding action, so perception_feeds_action=false; recovery_needs_fleet_action=false;
active_exploitation — false (no known in-the-wild exploitation).

Published baseline

v3.1 6.5 MEDIUM — CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H — MITRE via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57972

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0015 (“HoloLens Device Portal pairing-API unauthenticated DoS (CVE-2024-57972)”), paths.cfse.ai/CPATH-2026-0015 (published 2026-06-03).