CVE-2019-14878 — NULL Pointer Dereference in Project Newlib

CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Newlib Project Newlib Debian Newlib Debian Picolibc +1 more

Timeline

PublishedMar 19

Latest updateMay 24

Description

In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. Accessing _x will trigger a null pointer dereference bug in case of a memory allocation failure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/newlib< newlib 3.3.0-1 (bookworm)

▶debiandebian/picolibc< newlib 3.3.0-1 (bookworm)

▶NVDnewlib_project/newlib< 3.3.0

▶Debiannewlib_project/newlib< 3.3.0-1+3

▶CVEListV5red_hat/newliball newlib versions prior to 3.3.0

🔴Vulnerability Details

GHSA

GHSA-p43r-33j2-mh6q: In the __d2b function of the newlib libc library, all versions prior to 3↗2022-05-24

▶

OSV

CVE-2019-14878: In the __d2b function of the newlib libc library, all versions prior to 3↗2020-03-19

▶

📋Vendor Advisories

Debian

CVE-2019-14878: newlib - In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (s...↗2019

▶