CVE-2025-46784Missing Release of Memory after Effective Lifetime in Lasso

CWE-401Missing Release of Memory after Effective LifetimeCWE-908Use of Uninitialized Resource10 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 66.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Entrouvert LassoDebian LassoEntr Ouvert Lasso+5 more
Timeline
PublishedNov 5
Latest updateNov 26

Description

A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages10 packages

Debianentrouvert/lasso< 2.6.1-3+deb11u1+3
Ubuntuentrouvert/lasso< 2.7.0-2ubuntu0.1+1
NVDentrouvert/lasso2.5.1
CVEListV5entr_ouvert/lasso2.5.1
debiandebian/lasso< lasso 2.8.1-1 (bookworm)

🔴Vulnerability Details

3
OSV
lasso vulnerabilities2025-11-18
GHSA
GHSA-4p4q-6835-5w79: A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 22025-11-05
OSV
CVE-2025-46784: A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 22025-11-05

📋Vendor Advisories

4
Ubuntu
Lasso vulnerabilities2025-11-18
Red Hat
lasso: Memory exhaustion in Entr'ouvert Lasso2025-11-05
Debian
CVE-2025-46784: lasso - A denial of service vulnerability exists in the lasso_node_init_from_message_wit...2025
Microsoft
net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup2024-09-10

🕵️Threat Intelligence

2
Talos
Dell ControlVault, Lasso, GL.iNet vulnerabilities2025-11-26
Talos
Dell ControlVault, Lasso, GL.iNet vulnerabilities2025-11-26