CVE-2022-24795

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions yajl-ruby versions 1.x through 2.x

Description The issue is related to an integer overflow in the yajl-ruby library, which leads to heap memory corruption when dealing with large inputs (~2GB). The reallocation logic at yajl buf.c#L64 may result in the need 32bit integer wrapping to 0, causing a reallocation of buf->alloc into a small heap chunk. This vulnerability mostly impacts process availability, and maintainers believe exploitation for arbitrary code execution is unlikely.

Recommendations For yajl-ruby versions 1.x through 2.x, update to version 1.4.3 to resolve the issue. As a temporary workaround, avoid passing large inputs to YAJL.

Exploit

Fix

Integer Overflow

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-122

Related Identifiers

ALSA-2022:7524

ALSA-2022:8252

ALSA-2022_7524

ALSA-2022_8252

ALT-PU-2023-4612

ALT-PU-2023-7987

ALT-PU-2024-16516

AZL-10552

AZL-35233

BDU:2023-07630

CESA-2022_7524

CVE-2022-24795

DLA-3492-1

DLA-3516-1

GHSA-JJ47-X69X-MXRM

OESA-2022-1752

OESA-2022-1912

OPENSUSE-SU-2022_3162-1

OPENSUSE-SU-2024:12258-1

RHSA-2022:7524

RHSA-2022:8252

RHSA-2022_7524

RHSA-2022_8252

RHSA-2024:2063

RLSA-2022:7524

RLSA-2022:8252

SUSE-SU-2022:1746-1

SUSE-SU-2022:1918-1

SUSE-SU-2022:3162-1

SUSE-SU-2022_1746-1

SUSE-SU-2022_3162-1

USN-6233-1

USN-6233-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

Yajl-Ruby

CVE-2022-24795

Weakness Enumeration

Related Identifiers

Affected Products

References · 73