PT-2018-3541 · Google+1 · Google Guava+1

Published

2018-04-26

·

Updated

2026-05-18

·

CVE-2018-10237

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: Google Guava versions 11.0 through 24.x before 24.1.1
Description: The issue is related to unbounded memory allocation in the AtomicDoubleArray and CompoundOrdering classes. This can be exploited by a remote attacker to conduct denial of service attacks against servers that rely on this library and deserialize attacker-provided data. The vulnerability arises because these classes perform eager allocation without proper checks on the data sent by a client and its size.
Recommendations: For Google Guava versions 11.0 through 24.x before 24.1.1, update to version 24.1.1 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of attacker-provided data to minimize the risk of exploitation. Additionally, restrict access to the AtomicDoubleArray and CompoundOrdering classes until the issue is resolved.

Exploit

Fix

DoS

Deserialization of Untrusted Data

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-770

Related Identifiers

ALT-PU-2018-1834
BDU:2020-03317
CLEANSTART-2026-DD05788
CLEANSTART-2026-JU62349
CLEANSTART-2026-KU61465
CLEANSTART-2026-LE11246
CLEANSTART-2026-RN56220
CLEANSTART-2026-SQ91016
CLEANSTART-2026-SV95049
CLEANSTART-2026-VH41554
CLEANSTART-2026-WK99982
CVE-2018-10237
GHSA-MVR2-9PJ6-7W5J
RHSA-2018:2423
RHSA-2018:2424
RHSA-2018:2598
RHSA-2018:2643
RHSA-2018:2741
RHSA-2018:2742
RHSA-2018:2743
RHSA-2018:2927

Affected Products

Alt Linux
Google Guava