CVE-2019-6293Uncontrolled Recursion in Flex

CWE-674Uncontrolled RecursionCWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.5%
top 36.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
25
Westes FlexDebian FlexMsrc Azl3 Flex 2.6.4-7 ON Azure Linux 3.0+22 more
Timeline
PublishedJan 15
Latest updateMay 13

Description

An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages25 packages

NVDwestes/flex2.6.4
debiandebian/flex

🔴Vulnerability Details

2
GHSA
GHSA-grpp-mcmx-p7pc: An issue was discovered in the function mark_beginning_as_normal in nfa2022-05-13
OSV
CVE-2019-6293: An issue was discovered in the function mark_beginning_as_normal in nfa2019-01-15

📋Vendor Advisories

3
Red Hat
flex: Recursive calls in the function mark_beginning_as_normal resulting in a denial of service2019-01-09
Microsoft
An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to i2019-01-08
Debian
CVE-2019-6293: flex - An issue was discovered in the function mark_beginning_as_normal in nfa.c in fle...2019

💬Community

2
Bugzilla
CVE-2019-6293 flex: Recursive calls in the function mark_beginning_as_normal resulting in a denial of service [fedora-all]2019-01-21
Bugzilla
CVE-2019-6293 flex: Recursive calls in the function mark_beginning_as_normal resulting in a denial of service2019-01-21