PT-2019-14268 · Libflate · Libflate

Published

2019-07-04

Updated

2021-08-25

CVE-2019-15552

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions libflate versions prior to 0.1.25

Description The issue is related to a use-after-free vulnerability in the MultiDecoder::read() function, which can lead to arbitrary code execution. This occurs when the execution of MultiDecoder::read() is interrupted by a panic in a caller-supplied Read implementation, causing drop() to be called on uninitialized memory of a generic type implementing Read. The vulnerability allows an attacker to potentially gain arbitrary code execution.

Recommendations For versions prior to 0.1.25, update to version 0.1.25 or later to resolve the issue. As a temporary workaround, consider aborting immediately instead of unwinding the stack in case of a panic within MultiDecoder::read().

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2019-15552

GHSA-RPCM-WHQC-JFW8

RUSTSEC-2019-0010

Affected Products

Libflate

PT-2019-14268 · Libflate · Libflate

CVE-2019-15552

Weakness Enumeration

Related Identifiers

Affected Products

References · 15