CVE-2019-11922 — Race Condition in Zstandard

CWE-362 — Race Condition13 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 29.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Facebook Zstandard Yves Sereal Debian Libzstd +2 more

Timeline

PublishedJul 25

Latest updateMar 31

Description

A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶NVDfacebook/zstandard< 1.3.8

▶NVDyves/sereal4.000 — 4.010

▶debiandebian/libzstd< libzstd 1.3.8+dfsg-2 (bookworm)

▶CVEListV5yves/sereal_encoder4.000 — 4.009_002

▶debiandebian/libsereal-encoder-perl

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-hhqv-q79g-jgfm: Sereal::Encoder versions from 4↗2026-03-31

▶

GHSA

GHSA-93rm-8cxm-wfv4: Sereal::Decoder versions from 4↗2026-03-31

▶

GHSA

GHSA-w77f-wv46-4vcx: A race condition in the one-pass compression functions of Zstandard prior to version 1↗2022-05-24

▶

OSV

CVE-2019-11922: A race condition in the one-pass compression functions of Zstandard prior to version 1↗2019-07-25

▶

📋Vendor Advisories

Debian

CVE-2024-14030: libsereal-encoder-perl - Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerab...↗2024

▶

Debian

CVE-2024-14031: libsereal-encoder-perl - Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerab...↗2024

▶

Red Hat

zstd: race condition in one-pass compression functions that could allow out of bounds write↗2022-09-02

▶

Ubuntu

Zstandard vulnerability↗2022-09-01

▶

Ubuntu

Zstandard vulnerability↗2019-08-21

▶