We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53984

Nanopb does not release memory on error return when using PB_DECODE_DELIMITED



Description

Nanopb is a small code-size Protocol Buffers implementation. When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.

Reserved 2024-11-25 | Published 2024-12-02 | Updated 2024-12-02 | Assigner GitHub_M


MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-401: Missing Release of Memory after Effective Lifetime

CWE-755: Improper Handling of Exceptional Conditions

Product status

>=0.4.0, < 0.4.9.1
affected

References

github.com/...nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r

github.com/...ommit/2b86c255aa52250438d5aba124d0e86db495b378

cve.org (CVE-2024-53984)

nvd.nist.gov (CVE-2024-53984)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53984

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.