We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Nanopb is a small code-size Protocol Buffers implementation. When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.
Reserved 2024-11-25 | Published 2024-12-02 | Updated 2024-12-02 | Assigner GitHub_MCWE-401: Missing Release of Memory after Effective Lifetime
CWE-755: Improper Handling of Exceptional Conditions
github.com/...nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
github.com/...ommit/2b86c255aa52250438d5aba124d0e86db495b378
Support options