Common Weakness Enumeration

CWE-789

Allowed

Memory Allocation with Excessive Size Value

Abstraction: Variant · Status: Draft

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

321 vulnerabilities reference this CWE, most recent first.

GHSA-V24H-PJJV-MCP6

Vulnerability from github – Published: 2021-05-27 18:44 – Updated: 2023-10-02 12:27
VLAI
Summary
Denial of service in Tendermint
Details

Description

Denial of Service 1

Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.

Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids).

Notes:

  • Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);
  • Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (https://github.com/tendermint/tendermint/issues/1696).

Denial of Service 2

Tendermint 0.33.2 and earlier does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting Denial of Service 1), which ultimately will lead to the node panicking.

Tendermint 0.33.3 (and 0.32.10) claims activeID for a peer in InitPeer, which is executed before MConnection is started.

Notes:

  • InitPeer function was added to all reactors to combat a similar issue - https://github.com/tendermint/tendermint/issues/3338;
  • Denial of Service 2 is independent of Denial of Service 1 and can be executed without it.

Specific Go Packages Affected

github.com/tendermint/tendermint/p2p

Impact

  • All full nodes (except for validators who are behind closed networks)
  • Node's memory usage increases, then it panics either in the mempool or due to OOM.

Patches

  • v0.33.3
  • v0.32.10
  • v0.31.12

Workarounds

No workarounds.

References

  • https://hackerone.com/reports/820317 (not disclosed yet)
  • https://github.com/tendermint/tendermint/issues/3338
  • https://github.com/tendermint/tendermint/issues/1696

For more information

If you have any questions or comments about this advisory: * Open an issue in tendermint/tendermint * Email us at security@tendermint.com

More information can be found here.

Credits

  • fudongbai for discovering and reporting Denial of Service 2
  • Ethan Buchman (@ebuchman) for writing a test case for Denial of Service 2 and Tess Rinearson (@tessr) for fixing it
  • Anton Kaliaev (@melekes) for fixing Denial of Service 1
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tendermint/tendermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.33.0"
            },
            {
              "fixed": "0.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tendermint/tendermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tendermint/tendermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.32.0"
            },
            {
              "fixed": "0.32.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T21:16:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\n**Denial of Service 1**\n\nTendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. \n\nTendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming connection requests to to `p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)`.\n\nNotes:\n\n- Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);\n- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (https://github.com/tendermint/tendermint/issues/1696).\n\n**Denial of Service 2**\n\nTendermint 0.33.2 and earlier does not reclaim `activeID` of a peer after it\u0027s removed in `Mempool` reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the `Peer` is created and added to all reactors. `RemovePeer` is therefore called before `AddPeer`, which leads to always growing memory (`activeIDs` map). The `activeIDs` map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting Denial of Service 1), which ultimately will lead to the node panicking.\n\nTendermint 0.33.3 (and 0.32.10) claims `activeID` for a peer in `InitPeer`, which is executed before `MConnection` is started.\n\nNotes: \n\n- `InitPeer` function was added to all reactors to combat a similar issue - https://github.com/tendermint/tendermint/issues/3338;\n- Denial of Service 2 is independent of Denial of Service 1 and can be executed without it.\n\n### Specific Go Packages Affected\ngithub.com/tendermint/tendermint/p2p\n\n### Impact\n\n- All full nodes (except for validators who are behind closed networks)\n- Node\u0027s memory usage increases, then it panics either in the mempool or due to OOM.\n\n### Patches\n\n- v0.33.3\n- v0.32.10\n- v0.31.12\n\n### Workarounds\n\nNo workarounds.\n\n### References\n\n- https://hackerone.com/reports/820317 (not disclosed yet)\n- https://github.com/tendermint/tendermint/issues/3338\n- https://github.com/tendermint/tendermint/issues/1696\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [tendermint/tendermint](https://github.com/tendermint/tendermint)\n* Email us at [security@tendermint.com](mailto:security@tendermint.com)\n\nMore information can be found [here](https://tendermint.com/security/).\n\n### Credits\n\n- [fudongbai](https://hackerone.com/fudongbai) for discovering and reporting Denial of Service 2\n- Ethan Buchman (@ebuchman) for writing a test case for Denial of Service 2 and Tess Rinearson (@tessr) for fixing it\n- Anton Kaliaev (@melekes) for fixing Denial of Service 1",
  "id": "GHSA-v24h-pjjv-mcp6",
  "modified": "2023-10-02T12:27:32Z",
  "published": "2021-05-27T18:44:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/issues/1696"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/issues/3338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/820317"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tendermint/tendermint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#denial-of-service-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service in Tendermint"
}

GHSA-V2VV-6Q75-RVC9

Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-03-31 12:31
VLAI
Details

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-789"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-31T12:16:27Z",
    "severity": "MODERATE"
  },
  "details": "An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.",
  "id": "GHSA-v2vv-6q75-rvc9",
  "modified": "2026-03-31T12:31:35Z",
  "published": "2026-03-31T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24030"
    },
    {
      "type": "WEB",
      "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7G2-M8C5-MF84

Vulnerability from github – Published: 2026-02-24 15:44 – Updated: 2026-02-24 15:44
VLAI
Summary
ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder
Details

A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort.

Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-24T15:44:19Z",
    "nvd_published_at": "2026-02-24T02:16:02Z",
    "severity": "HIGH"
  },
  "details": "A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort.\n\nFound via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.",
  "id": "GHSA-v7g2-m8c5-mf84",
  "modified": "2026-02-24T15:44:19Z",
  "published": "2026-02-24T15:44:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25985"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/1a51eb9af00c36724660e294520878fd1f13e312"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder"
}

GHSA-V9XF-FR6M-F93P

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to uncontrolled memory allocation. An attacker could exploit this vulnerability by copying a crafted file to a specific folder on the system. A successful exploit could allow the attacker to crash the VPN Agent service when the affected application is launched, causing it to be unavailable to all users of the system. To exploit this vulnerability, the attacker must have valid credentials on a multiuser Windows system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-789"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-16T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to uncontrolled memory allocation. An attacker could exploit this vulnerability by copying a crafted file to a specific folder on the system. A successful exploit could allow the attacker to crash the VPN Agent service when the affected application is launched, causing it to be unavailable to all users of the system. To exploit this vulnerability, the attacker must have valid credentials on a multiuser Windows system.",
  "id": "GHSA-v9xf-fr6m-f93p",
  "modified": "2022-05-24T19:05:26Z",
  "published": "2022-05-24T19:05:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1568"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dos-hMhyDfb8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V9XR-R3XX-X9GC

Vulnerability from github – Published: 2023-10-02 21:30 – Updated: 2024-01-07 12:30
VLAI
Details

In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770",
      "CWE-789"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-02T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.",
  "id": "GHSA-v9xr-r3xx-x9gc",
  "modified": "2024-01-07T12:30:30Z",
  "published": "2023-10-02T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0809"
    },
    {
      "type": "WEB",
      "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC8P-8PXG-RFWG

Vulnerability from github – Published: 2026-06-12 21:02 – Updated: 2026-07-08 17:35
VLAI
Summary
ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing
Details

Summary

The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays.

A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught OutOfMemoryError, potentially terminating the application process.

Details

The issue was in DerReader.readLength() and primitive readers such as readInteger().

readLength() previously accepted up to 127 length octets and accumulated them into an Int:

length = (length shl 8) or nextByte

This permitted integer overflow. For example:

  • 0x1_0000_0001 wrapped to 1.
  • 0x8000_0000 wrapped to Int.MIN_VALUE.

Primitive readers then allocated memory based on the resulting value without first checking it against the remaining input:

val bytes = ByteArray(length)
data.get(bytes)

A six-byte DER value declaring a 1 GiB INTEGER caused an immediate OutOfMemoryError when tested with a constrained JVM heap. Because OutOfMemoryError is not an Exception, it is not caught by the public-key authentication error handling and may terminate the application process.

A zero-length DER INTEGER is also invalid, but it does not produce BigInteger.ZERO: Java throws NumberFormatException when constructing a BigInteger from an empty byte array. No weakened or usable cryptographic key has been demonstrated through this issue.

Attack Requirements

The affected DER parser processes private-key material explicitly supplied by the application through APIs such as:

  • SshClient.authenticatePublicKey()
  • SshKeys.decodePemPrivateKey()
  • SshSigning.sign()
  • SshSigning.getPublicKey()

The DER input is not populated from SSH server host keys or agent-forwarding requests. Exploitation therefore requires a user or application to load an attacker-provided private-key file. The issue is not remotely exploitable by an SSH server.

Impact

Successful exploitation can cause:

  • Incorrect DER length interpretation due to integer wraparound
  • Excessive memory allocation
  • An uncaught OutOfMemoryError
  • Loss of availability of the affected application process

There is no demonstrated confidentiality or integrity impact.

Remediation

The DER parser now:

  • Rejects indefinite lengths
  • Explicitly limits long-form lengths to Int.SIZE_BYTES (four octets) and rejects values above Int.MAX_VALUE
  • Accumulates long-form lengths in a Long before converting to Int
  • Rejects truncated and non-minimal length encodings
  • Checks declared lengths against the remaining input before allocation or advancing the input position
  • Rejects zero-length DER INTEGER, BIT STRING, and OBJECT IDENTIFIER values where an empty encoding is invalid
  • Rejects non-canonical DER INTEGER encodings with redundant sign octets

The bounds checks are implemented in shared DER reader helpers and apply to INTEGER, OCTET STRING, BIT STRING, OBJECT IDENTIFIER, SEQUENCE, context-specific values, and skipped values. PKCS#1 RSA and SEC1 EC private keys pass application-supplied DER directly through these helpers. PKCS#8 input is parsed by the JCA provider, and OpenSSH private keys use a separate wire-format parser rather than DerReader.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.connectbot.sshlib:sshlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T21:02:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to `Int` values or allocating arrays.\n\nA malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught `OutOfMemoryError`, potentially terminating the application process.\n\n## Details\n\nThe issue was in `DerReader.readLength()` and primitive readers such as `readInteger()`.\n\n`readLength()` previously accepted up to 127 length octets and accumulated them into an `Int`:\n\n```kotlin\nlength = (length shl 8) or nextByte\n```\n\nThis permitted integer overflow. For example:\n\n- `0x1_0000_0001` wrapped to `1`.\n- `0x8000_0000` wrapped to `Int.MIN_VALUE`.\n\nPrimitive readers then allocated memory based on the resulting value without first checking it against the remaining input:\n\n```kotlin\nval bytes = ByteArray(length)\ndata.get(bytes)\n```\n\nA six-byte DER value declaring a 1 GiB INTEGER caused an immediate `OutOfMemoryError` when tested with a constrained JVM heap. Because `OutOfMemoryError` is not an `Exception`, it is not caught by the public-key authentication error handling and may terminate the application process.\n\nA zero-length DER INTEGER is also invalid, but it does not produce `BigInteger.ZERO`: Java throws `NumberFormatException` when constructing a `BigInteger` from an empty byte array. No weakened or usable cryptographic key has been demonstrated through this issue.\n\n## Attack Requirements\n\nThe affected DER parser processes private-key material explicitly supplied by the application through APIs such as:\n\n- `SshClient.authenticatePublicKey()`\n- `SshKeys.decodePemPrivateKey()`\n- `SshSigning.sign()`\n- `SshSigning.getPublicKey()`\n\nThe DER input is not populated from SSH server host keys or agent-forwarding requests. Exploitation therefore requires a user or application to load an attacker-provided private-key file. The issue is not remotely exploitable by an SSH server.\n\n## Impact\n\nSuccessful exploitation can cause:\n\n- Incorrect DER length interpretation due to integer wraparound\n- Excessive memory allocation\n- An uncaught `OutOfMemoryError`\n- Loss of availability of the affected application process\n\nThere is no demonstrated confidentiality or integrity impact.\n\n## Remediation\n\nThe DER parser now:\n\n- Rejects indefinite lengths\n- Explicitly limits long-form lengths to `Int.SIZE_BYTES` (four octets) and rejects values above `Int.MAX_VALUE`\n- Accumulates long-form lengths in a `Long` before converting to `Int`\n- Rejects truncated and non-minimal length encodings\n- Checks declared lengths against the remaining input before allocation or advancing the input position\n- Rejects zero-length DER INTEGER, BIT STRING, and OBJECT IDENTIFIER values where an empty encoding is invalid\n- Rejects non-canonical DER INTEGER encodings with redundant sign octets\n\nThe bounds checks are implemented in shared DER reader helpers and apply to INTEGER, OCTET STRING, BIT STRING, OBJECT IDENTIFIER, SEQUENCE, context-specific values, and skipped values. PKCS#1 RSA and SEC1 EC private keys pass application-supplied DER directly through these helpers. PKCS#8 input is parsed by the JCA provider, and OpenSSH private keys use a separate wire-format parser rather than `DerReader`.",
  "id": "GHSA-vc8p-8pxg-rfwg",
  "modified": "2026-07-08T17:35:52Z",
  "published": "2026-06-12T21:02:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/connectbot/cbssh/security/advisories/GHSA-vc8p-8pxg-rfwg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/connectbot/cbssh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/connectbot/cbssh/releases/tag/v0.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing"
}

GHSA-VPJR-H6FH-MW4P

Vulnerability from github – Published: 2023-09-21 15:30 – Updated: 2026-02-04 20:46
VLAI
Summary
Duplicate Advisory: EVE Freely Allocates Buffer on The Stack With Data From Socket
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-phcg-h58r-gmcq. This link is maintained to preserve external references.

Original Description

As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this server is done using protobuf, and the data is comprised of 2 parts:

  1. Header

  2. Data

When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come.

Then, in the function “handleRequest” this size is then used in order to allocate a payload on the stack for the incoming data.

As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data.

  • An attacker can crash the system.
  • An attacker can gain control over the system, specifically on the “vtpm_server” process which has very high privileges.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/eve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20230519072751-977f42b07fa9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-770",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T20:46:55Z",
    "nvd_published_at": "2023-09-21T14:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-phcg-h58r-gmcq. This link is maintained to preserve external references.\n\n### Original Description\nAs noted in the \u201cVTPM.md\u201d file in the eve documentation, \u201cVTPM is a server listening on port\n8877 in EVE, exposing limited functionality of the TPM to the clients. \nVTPM allows clients to\nexecute tpm2-tools binaries from a list of hardcoded options\u201d\nThe communication with this server is done using protobuf, and the data is comprised of 2\nparts:\n\n1. Header\n\n2. Data\n\nWhen a connection is made, the server is waiting for 4 bytes of data, which will be the header,\nand these 4 bytes would be parsed as uint32 size of the actual data to come.\n\nThen, in the function \u201chandleRequest\u201d this size is then used in order to allocate a payload on\nthe stack for the incoming data.\n\nAs this payload is allocated on the stack, this will allow overflowing the stack size allocated for\nthe relevant process with freely controlled data.\n\n* An attacker can crash the system. \n* An attacker can gain control over the system, specifically on the \u201cvtpm_server\u201d process\nwhich has very high privileges.",
  "id": "GHSA-vpjr-h6fh-mw4p",
  "modified": "2026-02-04T20:46:55Z",
  "published": "2023-09-21T15:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43632"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/cve-2023-43632"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/freely-allocate-buffer-on-the-stack-with-data-from-socket"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: EVE Freely Allocates Buffer on The Stack With Data From Socket",
  "withdrawn": "2026-02-04T20:46:55Z"
}

GHSA-W2JH-77FQ-7GP8

Vulnerability from github – Published: 2026-05-05 21:57 – Updated: 2026-05-13 16:27
VLAI
Summary
OpAMP client reads unbounded HTTP response bodies
Details

Summary

When receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed.

This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response.

Details

#2926 introduced the initial HTTP transport components which uses ReadAsByteArrayAsync to copy the HttpResponseMessage.Content into a byte array. This code path allows an unbounded read of the entire HTTP response message.

Impact

If an application using the OpAMP client is configured to use an OpAMP server that is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response, the application could have its memory exhausted and create a denial-of-service condition.

Mitigation

The application's configured OpAMP server needs to behave maliciously. If the OpAMP server is a well-behaved implementation, response bodies should not be excessively large.

Workarounds

None known.

Remediation

#4116 updates the OpAMP client HTTP transport to limit the maximum size of responses to 128KB.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.OpAmp.Client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.0-alpha.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:57:54Z",
    "nvd_published_at": "2026-05-12T18:17:24Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed.\n\nThis could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. \n\n### Details\n\n[#2926](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2926) introduced the initial HTTP transport components which uses `ReadAsByteArrayAsync` to copy the `HttpResponseMessage.Content` into a byte array. This code path allows an unbounded read of the entire HTTP response message.\n\n### Impact\n\nIf an application using the OpAMP client is configured to use an OpAMP server that is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response, the application could have its memory exhausted and create a denial-of-service condition.\n\n### Mitigation\n\nThe application\u0027s configured OpAMP server needs to behave maliciously. If the OpAMP server is a well-behaved implementation, response bodies should not be excessively large.\n\n### Workarounds\n\nNone known.\n\n### Remediation\n\n[#4116](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116) updates the OpAMP client HTTP transport to limit the maximum size of responses to 128KB.\n\n### Resources\n\n- [#2926](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2926)\n- [#4116](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116)\n- [CWE-789](https://cwe.mitre.org/data/definitions/789.html)",
  "id": "GHSA-w2jh-77fq-7gp8",
  "modified": "2026-05-13T16:27:09Z",
  "published": "2026-05-05T21:57:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/commit/bf1fad4fa298ff451cda0efb0ee9c7a7eb46212a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpAMP client reads unbounded HTTP response bodies"
}

GHSA-W4W9-25XJ-F9J4

Vulnerability from github – Published: 2026-05-16 18:31 – Updated: 2026-05-16 18:31
VLAI
Details

My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-789"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-16T16:16:22Z",
    "severity": "HIGH"
  },
  "details": "My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash.",
  "id": "GHSA-w4w9-25xj-f9j4",
  "modified": "2026-05-16T18:31:38Z",
  "published": "2026-05-16T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47971"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49954"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/my-notes-safe-denial-of-service-via-buffer-overflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W8GF-G2VQ-J2F4

Vulnerability from github – Published: 2024-04-03 18:49 – Updated: 2024-04-03 18:49
VLAI
Summary
amphp/http-client Denial of Service via HTTP/2 CONTINUATION Frames
Details

Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.

Acknowledgements

Thank you to Bartek Nowotarski for reporting the vulnerability.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "amphp/http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-rc10"
            },
            {
              "fixed": "4.1.0-rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-770",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-03T18:49:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Early versions of `amphp/http-client` with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 `CONTINUATION` frames in an unbounded buffer and will not check the header size limit until it has received the `END_HEADERS` flag, resulting in an OOM crash. Later versions of `amphp/http-client` (v4.1.0-rc1 and up) depend on `amphp/http` for HTTP/2 processing and will therefore need an updated version of `amphp/http`, see [GHSA-qjfw-cvjf-f4fm](https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm).\n\n## Acknowledgements\n\nThank you to [Bartek Nowotarski](https://nowotarski.info/) for reporting the vulnerability.",
  "id": "GHSA-w8gf-g2vq-j2f4",
  "modified": "2024-04-03T18:49:42Z",
  "published": "2024-04-03T18:49:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/amphp/http/security/advisories/GHSA-qjfw-cvjf-f4fm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/amphp/http-client"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "amphp/http-client  Denial of Service via HTTP/2 CONTINUATION Frames"
}

Mitigation
Implementation Architecture and Design

Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.

Mitigation
Operation

Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

No CAPEC attack patterns related to this CWE.