CVE-2024-37305

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Name of the Vulnerable Software and Affected Versions oqs-provider versions prior to 0.6.1

Description The issue arises from the way oqs-provider handles lengths decoded with DECODE UINT32 at the start of serialized hybrid keys and signatures. Unchecked length values are later used for memory reads and writes, which can lead to crashes or information leakage when given malformed input. This issue does not affect the handling of plain/non-hybrid PQ key operations.

Recommendations For versions prior to 0.6.1, upgrade to version 0.6.1 to resolve the issue. At the moment, there are no other known workarounds for this issue.

Exploit

Fix

Integer Overflow

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-805CWE-130CWE-680CWE-120

Related Identifiers

CVE-2024-37305

GHSA-PQVR-5CR8-V6FX

OPENSUSE-SU-2024:14054-1

OPENSUSE-SU-2025_0005-1

SUSE-SU-2025:0005-1

Affected Products

Suse

Oqs-Provider

CVE-2024-37305

Weakness Enumeration

Related Identifiers

Affected Products

References · 16