cbcvebase.
CVE-2019-17362
published 2019-10-09

CVE-2019-17362: In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This…

PriorityP342critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
3.19%
86.5th percentile
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.

Affected

15 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianlibcryptx-perl< libcryptx-perl 0.066-1 (bookworm)libcryptx-perl 0.066-1 (bookworm)
debianlibtomcrypt< libtomcrypt 1.18.2-3 (bookworm)libtomcrypt 1.18.2-3 (bookworm)
libtomlibtomcrypt<= 1.18.2
libtomcryptlibtomcrypt>= 0 < 1.18.2-31.18.2-3
libtomcryptlibtomcrypt>= 0 < 1.18.2-31.18.2-3
libtomcryptlibtomcrypt>= 0 < 1.18.2-31.18.2-3
libtomcryptlibtomcrypt>= 0 < 1.18.2-31.18.2-3
mikcryptx>= 0.002 < 0.0650.065
msrcazl3_libtomcrypt_1.18.2-9_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_libtomcrypt_1.18.2-9_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_msrc9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.