CVE-2024-26134
CBOR2 decoder has potential buffer overflow
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
agronholm · cbor2Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873dfhttps://github.com/agronholm/cbor2/pull/204https://github.com/agronholm/cbor2/releases/tag/5.6.2https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7mhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/