CVE-2023-22895
published 2023-01-10CVE-2023-22895: The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is…
PriorityP431high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.21%
64.7th percentile
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bzip | bzip2 | >= 0 < 0.4.4 | 0.4.4 |
| bzip | bzip2 | >= 0.0.0-0 < 0.4.4 | 0.4.4 |
| bzip2_project | bzip2 | < 0.4.4 | 0.4.4 |
| debian | rust-bzip2 | < rust-bzip2 0.4.4-1 (bookworm) | rust-bzip2 0.4.4-1 (bookworm) |
| msrc | cm1_mozjs60_60.9.0-11_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates
vendor_msrc·2023-01-10·CVSS 7.5
CVE-2023-22895 [HIGH] CWE-190 The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified,
Debian
CVE-2023-22895: rust-bzip2 - The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of servi...
vendor_debian·2023·CVSS 7.5
CVE-2023-22895 [HIGH] CVE-2023-22895: rust-bzip2 - The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of servi...
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
Scope: local
bookworm: resolved (fixed in 0.4.4-1)
bullseye: open
forky: resolved (fixed in 0.4.4-1)
sid: resolved (fixed in 0.4.4-1)
trixie: resolved (fixed in 0.4.4-1)
GHSA
bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
ghsa·2023-01-10
CVE-2023-22895 [HIGH] CWE-190 bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in `mem.rs`. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
OSV
bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
osv·2023-01-10
CVE-2023-22895 [HIGH] bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in `mem.rs`. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
OSV
CVE-2023-22895: The bzip2 crate before 0
osv·2023-01-10·CVSS 7.5
CVE-2023-22895 [HIGH] CVE-2023-22895: The bzip2 crate before 0
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
OSV
bzip2 Denial of Service (DoS)
osv·2023-01-09
CVE-2023-22895 bzip2 Denial of Service (DoS)
bzip2 Denial of Service (DoS)
Working with specific payloads can cause a Denial of Service (DoS) vector.
Both `Decompress` and `Compress` implementations can enter into infinite loops
given specific payloads entered that trigger it.
The issue is described in great detail in the [bzip2 repository issue](https://github.com/alexcrichton/bzip2-rs/pull/86).
Thanks to bjrjk for finding and providing the patch for the issue and the
maintainer responsibly responding to release a fix quickly.
Users who use the crate with untrusted data should update the `bzip2` to 0.4.4.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://crates.io/crates/bzip2/versionshttps://github.com/alexcrichton/bzip2-rs/pull/86https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLO/https://crates.io/crates/bzip2/versionshttps://github.com/alexcrichton/bzip2-rs/pull/86https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLO/
2023-01-10
Published