CVE-2025-4432Allocation of Resources Without Limits or Throttling in Rust-ring

CWE-770Allocation of Resources Without Limits or Throttling10 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 50.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Debian Rust-ringMsrc Azl3 Kata-containers-cc 3.15.0.aks0-1 ON Azure Linux 3.0Msrc Azl3 Kata-containers 3.15.0.aks0-1 ON Azure Linux 3.0+4 more
Timeline
PublishedMay 9
Latest updateMay 15

Description

A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages7 packages

debiandebian/rust-ring< rust-ring 0.17.14-1 (forky)

🔴Vulnerability Details

6
OSV
Ring: some aes functions may panic when overflow checking is enabled in ring in github.com/briansmith/ring2025-05-15
OSV
CVE-2025-4432: A flaw was found in Rust's Ring package2025-05-09
OSV
Duplicate Advisory: ring has some AES functions that may panic when overflow checking is enabled in2025-05-09
GHSA
Some AES functions may panic when overflow checking is enabled in ring2025-03-07
OSV
Some AES functions may panic when overflow checking is enabled in ring2025-03-07

📋Vendor Advisories

3
Microsoft
Ring: some aes functions may panic when overflow checking is enabled in ring2025-05-13
Red Hat
ring: Some AES functions may panic when overflow checking is enabled in ring2025-03-07
Debian
CVE-2025-4432: rust-ring - A flaw was found in Rust's Ring package. A panic may be triggered when overflow ...2025