CVE-2020-9431 — Missing Release of Memory after Effective Lifetime in Wireshark

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGHNVD

EPSS

4.4%

top 10.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark Debian Wireshark Debian Linux +2 more

Timeline

PublishedFeb 27

Latest updateMay 24

Description

In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/wireshark< wireshark 3.2.2-1 (bookworm)

▶Debianwireshark/wireshark< 3.2.2-1+3

▶NVDwireshark/wireshark2.6.0 — 2.6.14+2

▶NVDopensuse/leap15.1

Also affects: Debian Linux 9.0, Fedora 30, 31, 32

🔴Vulnerability Details

GHSA

GHSA-c77w-xw87-xvp3: In Wireshark 3↗2022-05-24

▶

OSV

CVE-2020-9431: In Wireshark 3↗2020-02-27

▶

📋Vendor Advisories

Red Hat

wireshark: LTE RRC dissector memory leak could result in excessive memory resource consumption↗2020-02-26

▶

Debian

CVE-2020-9431: wireshark - In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC di...↗2020

▶

💬Community

Bugzilla

CVE-2020-9431 wireshark: LTE RRC dissector memory leak could result in excessive memory resource consumption [fedora-all]↗2020-03-18

▶

Bugzilla

CVE-2020-9431 wireshark: LTE RRC dissector memory leak could result in excessive memory resource consumption↗2020-03-18

▶