cbcvebase.
CVE-2019-6250
published 2019-01-13

CVE-2019-6250: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready…

PriorityP357high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
9.44%
94.8th percentile
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianzeromq3< zeromq3 4.3.1-1 (bookworm)zeromq3 4.3.1-1 (bookworm)
zeromqlibzmq4.2.0 – 4.2.5
zeromqlibzmq>= 4.3.0 < 4.3.14.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability resides specifically in the v2_decoder.cpp file, in the zmq::v2_decoder_t::size_ready function — target detection efforts at integer overflow conditions in this code path within libzmq 4.2.x and 4.3.x before 4.3.1.
  • The attack vector involves injecting OS commands into a data structure located immediately after the overflowed buffer — monitor for unexpected OS command strings embedded in ZeroMQ v2 protocol message data.
  • Only the ZeroMQ version 2 decoder is affected; deployments using only the version 1 decoder (e.g., zeromq3 as shipped with Red Hat Ceph Storage 2) are not vulnerable — scope detection to endpoints running libzmq 4.2.0 through 4.3.0.
  • The vulnerability has been present since libzmq 4.2.0; inventory and alert on any process loading libzmq versions 4.2.0–4.3.0.
  • ·Fedora (as of the bug report) shipped zeromq 4.1.6 and was therefore not affected, despite being flagged initially — verify the exact installed version before treating a Fedora host as vulnerable.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.