CVE-2019-17362
published 2019-10-09CVE-2019-17362: In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This…
PriorityP342critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
3.19%
86.5th percentile
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | libcryptx-perl | < libcryptx-perl 0.066-1 (bookworm) | libcryptx-perl 0.066-1 (bookworm) |
| debian | libtomcrypt | < libtomcrypt 1.18.2-3 (bookworm) | libtomcrypt 1.18.2-3 (bookworm) |
| libtom | libtomcrypt | <= 1.18.2 | — |
| libtomcrypt | libtomcrypt | >= 0 < 1.18.2-3 | 1.18.2-3 |
| libtomcrypt | libtomcrypt | >= 0 < 1.18.2-3 | 1.18.2-3 |
| libtomcrypt | libtomcrypt | >= 0 < 1.18.2-3 | 1.18.2-3 |
| libtomcrypt | libtomcrypt | >= 0 < 1.18.2-3 | 1.18.2-3 |
| mik | cryptx | >= 0.002 < 0.065 | 0.065 |
| msrc | azl3_libtomcrypt_1.18.2-9_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_libtomcrypt_1.18.2-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_msrc9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-40912: libcryptx-perl - CryptX for Perl before version 0.065 contains a dependency that may be susceptib...
vendor_debian·2025·CVSS 9.1
CVE-2025-40912 [CRITICAL] CVE-2025-40912: libcryptx-perl - CryptX for Perl before version 0.065 contains a dependency that may be susceptib...
CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode. CryptX embeds the tomcrypt library. The versions of that library in CryptX before 0.065 may be susceptible to CVE-2019-17362.
Scope: local
bookworm: resolved (fixed in 0.066-1)
bullseye: resolved (fixed in 0.066-1)
forky: resolved (fixed in 0.066-1)
sid: resolved (fixed in 0.066-1)
trixie: resolved (fixed in 0.066-1)
Ubuntu
LibTomCrypt vulnerability
vendor_ubuntu·2021-03-15
CVE-2019-17362 LibTomCrypt vulnerability
Title: LibTomCrypt vulnerability
Summary: LibTomCrypt could be made to crash if it received specially crafted
input.
It was discovered that LibTomCrypt incorrectly handled certain inputs. An
attacker could possibly use this issue to cause a denial of service or read
sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
In LibTomCrypt through 1.18.2 the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cau
vendor_msrc·2019-10-08·CVSS 9.1
CVE-2019-17362 [CRITICAL] CWE-125 In LibTomCrypt through 1.18.2 the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cau
In LibTomCrypt through 1.18.2 the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began pub
Red Hat
libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c
vendor_redhat·2019-08-10·CVSS 9.1
CVE-2019-17362 [CRITICAL] CWE-125 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c
libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
Statement: Red Hat CloudForms 5.9, 5.10 and 5.11 are not affected as it does not ship anymore libtomcrypt library. Only CloudForms 5.8 which is EOL delivers libtomcrypt library.
Red Hat Ansible Engine 2.8 and 2.9 are not affected as it does not ship libtomcrypt library anymore and Ansible Engine 2.7 had deprecate it.
Package: libtomcrypt (CloudForms Man
Debian
CVE-2019-17362: libtomcrypt - In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decod...
vendor_debian·2019·CVSS 9.1
CVE-2019-17362 [CRITICAL] CVE-2019-17362: libtomcrypt - In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decod...
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
Scope: local
bookworm: resolved (fixed in 1.18.2-3)
bullseye: resolved (fixed in 1.18.2-3)
forky: resolved (fixed in 1.18.2-3)
sid: resolved (fixed in 1.18.2-3)
trixie: resolved (fixed in 1.18.2-3)
OSV
CVE-2025-40912: CryptX for Perl before version 0
osv·2025-06-11·CVSS 9.1
CVE-2025-40912 [CRITICAL] CVE-2025-40912: CryptX for Perl before version 0
CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode. CryptX embeds the tomcrypt library. The versions of that library in CryptX before 0.065 may be susceptible to CVE-2019-17362.
GHSA
GHSA-w3qg-5chj-8g9g: CryptX for Perl before version 0
ghsa_unreviewed·2025-06-11·CVSS 9.1
CVE-2025-40912 [CRITICAL] GHSA-w3qg-5chj-8g9g: CryptX for Perl before version 0
CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode.
CryptX embeds the tomcrypt library. The versions of that library in CryptX before 0.065 may be susceptible to CVE-2019-17362.
GHSA
GHSA-x32c-6j92-4hp9: In LibTomCrypt through 1
ghsa_unreviewed·2022-05-24
CVE-2019-17362 [MEDIUM] CWE-125 GHSA-x32c-6j92-4hp9: In LibTomCrypt through 1
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
OSV
CVE-2019-17362: In LibTomCrypt through 1
osv·2019-10-09·CVSS 9.1
CVE-2019-17362 [CRITICAL] CVE-2019-17362: In LibTomCrypt through 1
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c [fedora-all]
bugzilla·2019-11-21·CVSS 9.1
CVE-2019-17362 [CRITICAL] CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c [fedora-all]
CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOT
Bugzilla
CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c
bugzilla·2019-11-21·CVSS 9.1
CVE-2019-17362 [CRITICAL] CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c
CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c
In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in
der_decode_utf8_string.c) does not properly detect certain invalid UTF-8
sequences. This allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) or read information from other memory locations
via carefully crafted DER-encoded data.
Reference:
https://github.com/libtom/libtomcrypt/pull/508
https://github.com/libtom/libtomcrypt/issues/507
Discussion:
Created libtomcrypt tracking bugs for this issue:
Affects: epel-all [bug 1775215]
Affects: fedora-all [bug 1775214]
---
Statement:
Red Hat CloudForms 5.9, 5.10 and 5.11 are not affected as it does not ship anymore li
Bugzilla
CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c [epel-all]
bugzilla·2019-11-21·CVSS 9.1
CVE-2019-17362 [CRITICAL] CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c [epel-all]
CVE-2019-17362 libtomcrypt: out-of-bounds read in the der_decode_utf8_string function in der_decode_utf8_string.c [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: t
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00041.htmlhttps://github.com/libtom/libtomcrypt/issues/507https://github.com/libtom/libtomcrypt/pull/508https://lists.debian.org/debian-lts-announce/2019/10/msg00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/https://vuldb.com/?id.142995http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00041.htmlhttps://github.com/libtom/libtomcrypt/issues/507https://github.com/libtom/libtomcrypt/pull/508https://lists.debian.org/debian-lts-announce/2019/10/msg00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/https://lists.fedoraproject.org/archives/list/[email protected]/message/47YP5SXQ4RY6KMTK2HI5ZZR244XKRMCZ/https://lists.fedoraproject.org/archives/list/[email protected]/message/YU5OMCY3PX54YVI4FMNDEENHDJZJ3RJW/https://vuldb.com/?id.142995
2019-10-09
Published