CWE-252
AllowedUnchecked Return Value
Abstraction: Base · Status: Draft
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
227 vulnerabilities reference this CWE, most recent first.
GHSA-Q4Q2-R8QR-QGWM
Vulnerability from github – Published: 2024-09-17 03:30 – Updated: 2024-09-17 03:30Denial of Service (DoS) vulnerability has been found in Dual-redundant Platform for Computer. If a computer on which the affected product is installed receives a large number of UDP broadcast packets in a short period, occasionally that computer may restart. If both the active and standby computers are restarted at the same time, the functionality on that computer may be temporarily unavailable.
{
"affected": [],
"aliases": [
"CVE-2024-8110"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T02:15:49Z",
"severity": "HIGH"
},
"details": "Denial of Service (DoS) vulnerability has been found in Dual-redundant Platform for Computer.\nIf a computer on which the affected product is installed receives a large number of UDP broadcast packets in a short period, occasionally that computer may restart.\nIf both the active and standby computers are restarted at the same time, the functionality on that computer may be temporarily unavailable.",
"id": "GHSA-q4q2-r8qr-qgwm",
"modified": "2024-09-17T03:30:45Z",
"published": "2024-09-17T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8110"
},
{
"type": "WEB",
"url": "https://web-material3.yokogawa.com/1/36276/files/YSAR-24-0003-E.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5GM-54VF-Q27W
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40A remote code execution vulnerability in the Android media framework (libhevc). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37430213.
{
"affected": [],
"aliases": [
"CVE-2017-0720"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-09T21:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability in the Android media framework (libhevc). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37430213.",
"id": "GHSA-q5gm-54vf-q27w",
"modified": "2022-05-13T01:40:32Z",
"published": "2022-05-13T01:40:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0720"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-08-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100204"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8QJ-FC9Q-CPHR
Vulnerability from github – Published: 2020-09-25 18:28 – Updated: 2024-10-28 14:53Impact
If a user passes an invalid argument to dlpack.to_dlpack the expected validations will cause variables to bind to nullptr while setting a status variable to the error condition.
However, this status argument is not properly checked:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L265-L267
Hence, code following these methods will bind references to null pointers: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L279-L285
This is undefined behavior and reported as an error if compiling with -fsanitize=null.
Patches
We have patched the issue in 22e07fb204386768e5bcbea563641ea11f96ceb8 and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been discovered during variant analysis of GHSA-rjjg-hgv6-h69v.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
}
],
"aliases": [
"CVE-2020-15191"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-252",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-25T17:03:28Z",
"nvd_published_at": "2020-09-25T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition.\n\nHowever, this `status` argument is not properly checked:\nhttps://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L265-L267\n\nHence, code following these methods will bind references to null pointers:\nhttps://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L279-L285\n\nThis is undefined behavior and reported as an error if compiling with `-fsanitize=null`.\n\n### Patches\nWe have patched the issue in 22e07fb204386768e5bcbea563641ea11f96ceb8 and will release a patch release for all affected versions.\n\nWe recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been discovered during variant analysis of [GHSA-rjjg-hgv6-h69v](https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v).",
"id": "GHSA-q8qj-fc9q-cphr",
"modified": "2024-10-28T14:53:41Z",
"published": "2020-09-25T18:28:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q8qj-fc9q-cphr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15191"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-271.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-306.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-114.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Undefined behavior in Tensorflow"
}
GHSA-QH9X-GCFH-PCRW
Vulnerability from github – Published: 2022-07-21 22:33 – Updated: 2022-08-10 23:52Impact
ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.
The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.
Patches
The issue was patched in 4.7.1.
References
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552
For more information
If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts-upgradeable"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31170"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-252"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-21T22:33:01Z",
"nvd_published_at": "2022-07-22T04:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\n`ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.\n\nThe contracts that may be affected are those that use `ERC165Checker` to check for support for an interface and then handle the lack of support in a way other than reverting.\n\n### Patches\n\nThe issue was patched in 4.7.1.\n\n### References\n\nhttps://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\n\n### For more information\n\nIf you have any questions or comments about this advisory, or need assistance deploying the fix, email us at [security@openzeppelin.com](mailto:security@openzeppelin.com).\n",
"id": "GHSA-qh9x-gcfh-pcrw",
"modified": "2022-08-10T23:52:57Z",
"published": "2022-07-21T22:33:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-qh9x-gcfh-pcrw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31170"
},
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenZeppelin Contracts\u0027s ERC165Checker may revert instead of returning false"
}
GHSA-QQ7J-G886-9QQH
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35A denial of service issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.0.1. An attacker may be able to bypass Managed Frame Protection.
{
"affected": [],
"aliases": [
"CVE-2020-27898"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-08T21:15:00Z",
"severity": "MODERATE"
},
"details": "A denial of service issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.0.1. An attacker may be able to bypass Managed Frame Protection.",
"id": "GHSA-qq7j-g886-9qqh",
"modified": "2022-05-24T17:35:40Z",
"published": "2022-05-24T17:35:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27898"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211931"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212011"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Dec/26"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Dec/32"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QQFM-9JCC-9Q44
Vulnerability from github – Published: 2024-06-16 03:30 – Updated: 2024-07-03 18:45In International Color Consortium DemoIccMAX before 85ce74e, a logic flaw in CIccTagXmlProfileSequenceId::ParseXml in IccXML/IccLibXML/IccTagXml.cpp results in unconditionally returning false.
{
"affected": [],
"aliases": [
"CVE-2024-38427"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-16T02:15:08Z",
"severity": "HIGH"
},
"details": "In International Color Consortium DemoIccMAX before 85ce74e, a logic flaw in CIccTagXmlProfileSequenceId::ParseXml in IccXML/IccLibXML/IccTagXml.cpp results in unconditionally returning false.",
"id": "GHSA-qqfm-9jcc-9q44",
"modified": "2024-07-03T18:45:29Z",
"published": "2024-06-16T03:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38427"
},
{
"type": "WEB",
"url": "https://github.com/InternationalColorConsortium/DemoIccMAX/pull/66"
},
{
"type": "WEB",
"url": "https://github.com/InternationalColorConsortium/DemoIccMAX/pull/66/commits/85ce74ef19fb0751c7e188b06daed22fe74c332c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV4Q-MR5R-QPRJ
Vulnerability from github – Published: 2022-12-08 03:03 – Updated: 2022-12-08 03:03Summary
Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10.
Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @davidwilemski.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.8"
},
{
"fixed": "1.13.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23476"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-08T03:03:33Z",
"nvd_published_at": "2022-12-08T04:15:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nNokogiri `1.13.8, 1.13.9` fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. \n\nFor applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.13.10`.\n\nUsers may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-252: Unchecked Return Value (4.9)](https://cwe.mitre.org/data/definitions/252.html)\n- [CWE - CWE-476: NULL Pointer Dereference (4.9)](https://cwe.mitre.org/data/definitions/476.html)\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @davidwilemski.\n",
"id": "GHSA-qv4q-mr5r-qprj",
"modified": "2022-12-08T03:03:33Z",
"published": "2022-12-08T03:03:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23476"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unchecked return value from xmlTextReaderExpand"
}
GHSA-R3P3-9V4P-P53J
Vulnerability from github – Published: 2024-04-22 18:30 – Updated: 2024-07-03 18:36An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The CapsuleIFWUSmm driver does not check the return value from a method or function. This can prevent it from detecting unexpected states and conditions.
{
"affected": [],
"aliases": [
"CVE-2022-46897"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-22T18:15:07Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The CapsuleIFWUSmm driver does not check the return value from a method or function. This can prevent it from detecting unexpected states and conditions.",
"id": "GHSA-r3p3-9v4p-p53j",
"modified": "2024-07-03T18:36:31Z",
"published": "2024-04-22T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46897"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7V4-RJWR-P5QP
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40A remote denial of service vulnerability in libhevc in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34672748.
{
"affected": [],
"aliases": [
"CVE-2017-0599"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-12T15:29:00Z",
"severity": "HIGH"
},
"details": "A remote denial of service vulnerability in libhevc in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34672748.",
"id": "GHSA-r7v4-rjwr-p5qp",
"modified": "2022-05-13T01:40:18Z",
"published": "2022-05-13T01:40:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0599"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/external/libhevc/+/a1424724a00d62ac5efa0e27953eed66850d662f"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R84F-4WJ3-R6VX
Vulnerability from github – Published: 2025-03-04 15:31 – Updated: 2025-11-03 21:33On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type. This vulnerability affects Firefox < 136, Firefox ESR < 115.21, and Firefox ESR < 128.8.
{
"affected": [],
"aliases": [
"CVE-2025-1933"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T14:15:38Z",
"severity": "HIGH"
},
"details": "On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type. This vulnerability affects Firefox \u003c 136, Firefox ESR \u003c 115.21, and Firefox ESR \u003c 128.8.",
"id": "GHSA-r84f-4wj3-r6vx",
"modified": "2025-11-03T21:33:04Z",
"published": "2025-03-04T15:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1933"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1946004"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-15"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-16"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-17"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-53
Check the results of all functions that return a value and verify that the value is expected.
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Ensure that you account for all possible return values from the function.
Mitigation
When designing a function, make sure you return a value or throw an exception in case of an error.
No CAPEC attack patterns related to this CWE.