CWE-1284
AllowedImproper Validation of Specified Quantity in Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
494 vulnerabilities reference this CWE, most recent first.
GHSA-5MPF-9QFH-9G4R
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-27 15:30Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
{
"affected": [],
"aliases": [
"CVE-2026-25345"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:16:45Z",
"severity": "CRITICAL"
},
"details": "Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through \u003c= 3.3.2.",
"id": "GHSA-5mpf-9qfh-9g4r",
"modified": "2026-03-27T15:30:25Z",
"published": "2026-03-25T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25345"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-3-2-arbitrary-code-execution-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5V77-J66X-4C4G
Vulnerability from github – Published: 2022-05-24 22:07 – Updated: 2022-05-24 22:07Impact
The implementation of tf.raw_ops.Conv3DBackpropFilterV2 does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack:
import tensorflow as tf
tf.raw_ops.Conv3DBackpropFilterV2(
input=tf.constant(.5053710941, shape=[2,2,2,2,1], dtype=tf.float16),
filter_sizes=tf.constant(0, shape=[], dtype=tf.int32),
out_backprop=tf.constant(.5053710941, shape=[2,2,2,2,1], dtype=tf.float16),
strides=[1, 1, 1, 1, 1],
padding="VALID",
data_format="NDHWC",
dilations=[1, 1, 1, 1, 1])
The code does not validate that the filter_sizes argument is a vector.
Patches
We have patched the issue in GitHub commit 174c5096f303d5be7ed2ca2662b08371bff4ab88.
The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29196"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T22:07:44Z",
"nvd_published_at": "2022-05-20T22:16:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe implementation of [`tf.raw_ops.Conv3DBackpropFilterV2`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/conv_grad_ops_3d.cc) does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack:\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.Conv3DBackpropFilterV2(\n input=tf.constant(.5053710941, shape=[2,2,2,2,1], dtype=tf.float16),\n filter_sizes=tf.constant(0, shape=[], dtype=tf.int32),\n out_backprop=tf.constant(.5053710941, shape=[2,2,2,2,1], dtype=tf.float16),\n strides=[1, 1, 1, 1, 1],\n padding=\"VALID\",\n data_format=\"NDHWC\",\n dilations=[1, 1, 1, 1, 1])\n```\n \nThe code does not validate that the `filter_sizes` argument is a vector.\n \n### Patches\nWe have patched the issue in GitHub commit [174c5096f303d5be7ed2ca2662b08371bff4ab88](https://github.com/tensorflow/tensorflow/commit/174c5096f303d5be7ed2ca2662b08371bff4ab88).\n\nThe fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.\n \n### For more information \nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.",
"id": "GHSA-5v77-j66x-4c4g",
"modified": "2022-05-24T22:07:44Z",
"published": "2022-05-24T22:07:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5v77-j66x-4c4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29196"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/174c5096f303d5be7ed2ca2662b08371bff4ab88"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/conv_grad_ops_3d.cc"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Missing validation causes denial of service via `Conv3DBackpropFilterV2`"
}
GHSA-5VHQ-WV6W-VJ48
Vulnerability from github – Published: 2022-08-18 00:00 – Updated: 2026-02-25 15:31Buffer Over-read in GitHub repository vim/vim prior to 9.0.0217.
{
"affected": [],
"aliases": [
"CVE-2022-2845"
],
"database_specific": {
"cwe_ids": [
"CWE-126",
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-17T15:15:00Z",
"severity": "HIGH"
},
"details": "Buffer Over-read in GitHub repository vim/vim prior to 9.0.0217.",
"id": "GHSA-5vhq-wv6w-vj48",
"modified": "2026-02-25T15:31:35Z",
"published": "2022-08-18T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/e98c88c44c308edaea5994b8ad4363e65030968c"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3e1d31ac-1cfd-4a9f-bc5c-213376b69445"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XGR-WQ7F-67XJ
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2025-11-04 18:30A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.
{
"affected": [],
"aliases": [
"CVE-2022-26127"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-03T18:15:00Z",
"severity": "HIGH"
},
"details": "A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.",
"id": "GHSA-5xgr-wq7f-67xj",
"modified": "2025-11-04T18:30:38Z",
"published": "2022-03-04T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26127"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/issues/10487"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-627Q-G293-49Q7
Vulnerability from github – Published: 2022-02-07 22:01 – Updated: 2024-11-07 22:27Impact
During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user:
const auto num_dims = Value(shape_dim);
std::vector<DimensionHandle> dims;
dims.reserve(num_dims);
Patches
We have patched the issue in GitHub commit 1361fb7e29449629e1df94d44e0427ebec8c83c7.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-23580"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-04T20:00:51Z",
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nDuring shape inference, TensorFlow can [allocate a large vector](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/shape_inference.cc#L788-L790) based on a value from a tensor controlled by the user:\n\n```cc\n const auto num_dims = Value(shape_dim);\n std::vector\u003cDimensionHandle\u003e dims;\n dims.reserve(num_dims);\n``` \n \n### Patches \nWe have patched the issue in GitHub commit [1361fb7e29449629e1df94d44e0427ebec8c83c7](https://github.com/tensorflow/tensorflow/commit/1361fb7e29449629e1df94d44e0427ebec8c83c7).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ",
"id": "GHSA-627q-g293-49q7",
"modified": "2024-11-07T22:27:04Z",
"published": "2022-02-07T22:01:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-627q-g293-49q7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23580"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/1361fb7e29449629e1df94d44e0427ebec8c83c7"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-89.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-144.yaml"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/shape_inference.cc#L788-L790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Abort caused by allocating a vector that is too large in Tensorflow"
}
GHSA-633W-44JW-WRP4
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31Improper bound check within AMD CPU microcode can allow a malicious guest to write to host memory, potentially resulting in loss of integrity.
{
"affected": [],
"aliases": [
"CVE-2025-52534"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T20:16:46Z",
"severity": "MODERATE"
},
"details": "Improper bound check within AMD CPU microcode can allow a malicious guest to write to host memory, potentially resulting in loss of integrity.",
"id": "GHSA-633w-44jw-wrp4",
"modified": "2026-02-10T21:31:31Z",
"published": "2026-02-10T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52534"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3023.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-676X-W6CW-FJ64
Vulnerability from github – Published: 2026-01-05 18:30 – Updated: 2026-01-20 15:33Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.
{
"affected": [],
"aliases": [
"CVE-2024-30516"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-05T17:15:44Z",
"severity": "HIGH"
},
"details": "Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.",
"id": "GHSA-676x-w6cw-fj64",
"modified": "2026-01-20T15:33:06Z",
"published": "2026-01-05T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30516"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-6-27-price-manipulation-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-6-27-price-manipulation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-68C6-W8Q5-F84G
Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-01-31 00:30IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled.
{
"affected": [],
"aliases": [
"CVE-2025-36428"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T22:15:55Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled.",
"id": "GHSA-68c6-w8q5-f84g",
"modified": "2026-01-31T00:30:28Z",
"published": "2026-01-31T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36428"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7257697"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68XF-4W7R-P3V5
Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2022-12-15 15:32In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242703217
{
"affected": [],
"aliases": [
"CVE-2022-20488"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T16:15:00Z",
"severity": "HIGH"
},
"details": "In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242703217",
"id": "GHSA-68xf-4w7r-p3v5",
"modified": "2022-12-15T15:32:12Z",
"published": "2022-12-13T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20488"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6973-8887-87FF
Vulnerability from github – Published: 2026-04-22 19:13 – Updated: 2026-04-27 16:22Impact
SkipBlockProof::verify computes its quorum check using BitSet.len(), then iterates BitSet indices and casts each usize index to u16 (slot as u16) for slot lookup. If an attacker can get a SkipBlockProof verified where MultiSignature.signers contains out-of-range indices spaced by 65536, these indices inflate len() but collide onto the same in-range u16 slot during aggregation.
This makes it possible for a malicious validator with far fewer than 2f+1 real signer slots to pass skip block proof verification by multiplying a single BLS signature by the same factor.
Patches
The patch for this vulnerability is included as part of v1.3.0.
Workarounds
No known workarounds.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nimiq-block"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33471"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-190",
"CWE-20",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T19:13:47Z",
"nvd_published_at": "2026-04-22T20:16:40Z",
"severity": "CRITICAL"
},
"details": "### Impact\n`SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. If an attacker can get a `SkipBlockProof` verified where `MultiSignature.signers` contains out-of-range indices spaced by 65536, these indices inflate `len()` but collide onto the same in-range `u16` slot during aggregation.\n\nThis makes it possible for a malicious validator with far fewer than `2f+1` real signer slots to pass skip block proof verification by multiplying a single BLS signature by the same factor.\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3657) is included as part of [v1.3.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0).\n\n### Workarounds\nNo known workarounds.",
"id": "GHSA-6973-8887-87ff",
"modified": "2026-04-27T16:22:04Z",
"published": "2026-04-22T19:13:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-6973-8887-87ff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33471"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/pull/3657"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/commit/d02059053181ed8ddad6b59a0adfd661ef5cd823"
},
{
"type": "PACKAGE",
"url": "https://github.com/nimiq/core-rs-albatross"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "nimiq-block has skip block quorum bypass via out-of-range BitSet indices \u0026 u16 truncation"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.