CVE-2024-32886

Name of the Vulnerable Software and Affected Versions Vitess versions prior to 17.0.7 Vitess versions prior to 18.0.5 Vitess versions prior to 19.0.4

Description The issue arises when executing a specific query, causing the vtgate to enter an endless loop and consume increasing amounts of memory, eventually leading to a denial of service due to memory exhaustion. This occurs because the decoding functions for certain collations, such as utf16, utf32, and ucs2, implement logic that enforces a minimal character length, but the callers of DecodeRune expect progress by returning the number of bytes consumed. If there's only 1 byte left in the input, it returns 0, and the caller doesn't consume the character, leading to an infinite loop. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For versions prior to 17.0.7, update to version 17.0.7 or later. For versions prior to 18.0.5, update to version 18.0.5 or later. For versions prior to 19.0.4, update to version 19.0.4 or later. As a temporary workaround, consider restricting the use of the utf16, utf32, and ucs2 encodings in queries to minimize the risk of exploitation. Avoid using the select utf16 0xFF query in the affected API endpoint until the issue is resolved.