CVE-2024-2410

CWE-416 — Use After Free6 documents6 sources

Severity

9.8CRITICAL

EPSS

0.1%

top 84.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Protocolbuffers Protobuf Google Protobuf

Timeline

PublishedMay 3

Latest updateMay 14

Description

The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:LExploitability: 2.8 | Impact: 4.7

Affected Packages2 packages

▶CVEListV5protocolbuffers/protobuf4.22.0 — 4.25.0

▶NVDgoogle/protobuf4.22.0 — 4.25.0

🔴Vulnerability Details

GHSA

GHSA-h86c-v8g6-46f2: The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream↗2024-05-03

▶

CVEList

Use after free in C++ protobuf↗2024-05-03

▶

📋Vendor Advisories

Microsoft

Use after free in C++ protobuf↗2024-05-14

▶

Red Hat

protobuf: Use-after-free in JsonToBinaryStream()↗2024-05-03

▶

Debian

CVE-2024-2410: protobuf - The JsonToBinaryStream() function is part of the protocol buffers C++ implementa...↗2024

▶