CVE-2024-41434

Name of the Vulnerable Software and Affected Versions PingCAP TiDB version 8.1.0

Description The issue is related to a buffer overflow via the (*Column).GetDecimal component, which can be exploited to cause a Denial of Service (DoS) by providing a crafted input to the 'RemoveUnnecessaryFirstRow' function. This function checks the expression between 'Agg' and 'GroupBy' but does not verify the return type. It is worth noting that PingCAP disputes the severity of this issue, considering it a complex query bug rather than a DoS vulnerability.

Recommendations For PingCAP TiDB version 8.1.0, as a temporary workaround, consider restricting the use of the (*Column).GetDecimal component until a patch is available. Additionally, avoid using crafted inputs to the 'RemoveUnnecessaryFirstRow' function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.