CVE-2018-19974Use of Uninitialized Resource in Yara

CWE-908Use of Uninitialized Resource10 documents7 sources
Severity
5.5MEDIUMNVD
OSV7.5
EPSS
0.3%
top 51.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Virustotal Yara
Timeline
PublishedDec 17
Latest updateMar 9

Description

In YARA 3.8.1, bytecode in a specially crafted compiled rule can read uninitialized data from VM scratch memory in libyara/exec.c. This can allow attackers to discover addresses in the real stack (not the YARA virtual stack).

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Debianvirustotal/yara< 3.8.1-2+3
Ubuntuvirustotal/yara< 3.4.0+dfsg-2ubuntu0.1~esm1+2
NVDvirustotal/yara3.8.1

🔴Vulnerability Details

4
OSV
yara vulnerabilities2026-03-09
GHSA
GHSA-qgr5-73wm-7w3g: In YARA 32022-05-13
CVEList
CVE-2018-19974: In YARA 32018-12-17
OSV
CVE-2018-19974: In YARA 32018-12-17

📋Vendor Advisories

2
Ubuntu
YARA vulnerabilities2026-03-09
Debian
CVE-2018-19974: yara - In YARA 3.8.1, bytecode in a specially crafted compiled rule can read uninitiali...2018

💬Community

3
Bugzilla
CVE-2018-19974 CVE-2018-19975 CVE-2018-19976 yara: Multiple issues2018-12-18
Bugzilla
CVE-2018-19974 CVE-2018-19975 CVE-2018-19976 yara: Multiple issues [fedora-all]2018-12-18
Bugzilla
CVE-2018-19974 CVE-2018-19975 CVE-2018-19976 yara: Multiple issues [epel-all]2018-12-18
CVE-2018-19974 — Use of Uninitialized Resource in Yara | cvebase