← back
CVE-2024-26134

CBOR2 decoder has potential buffer overflow

CVSS 7.5 HIGHEPSS 1.2%CWE-120
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 1.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
19 Feb 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
agronholm · cbor2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873dfhttps://github.com/agronholm/cbor2/pull/204https://github.com/agronholm/cbor2/releases/tag/5.6.2https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7mhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/