Peter Agten

**Name of the Vulnerable Software and Affected Versions** Rsyslog (affected versions not specified) **Description** The issue is related to a potential heap buffer overflow in TCP syslog reception modules when octet-counted framing is used. This can result in a segfault or other malfunction. Although it is believed that this issue cannot be used for remote code execution, there may still be a slight chance for experts to achieve this. The bug occurs when the octet count is read, and digits are written to a heap buffer even when the octet count exceeds the maximum, potentially overrunning the memory buffer. However, once the sequence of digits stops, no additional characters can be added to the buffer, making remote exploits highly complex. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception, and it is best practice not to directly expose them to the public. Octet-counted framing is relatively uncommon and usually needs to be specifically enabled at senders. **Recommendations** As a temporary workaround, consider disabling octet-counted framing for the most important modules if it is not needed. Turn off octet-counted framing for modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` to mitigate the vulnerability. Restrict access to these modules to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.