Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-W2PG-HW7V-F7M9

Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-06-30 03:35
VLAI
Details

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:

server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T21:16:04Z",
    "severity": "HIGH"
  },
  "details": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n  socket.on(\u0027error\u0027, err =\u003e {\n    console.log(err)\n  })\n})\n```",
  "id": "GHSA-w2pg-hw7v-f7m9",
  "modified": "2026-06-30T03:35:27Z",
  "published": "2026-01-20T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59465.json"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7387"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7386"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6431"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6402"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2899"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2864"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2783"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2782"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2781"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2768"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2767"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2422"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2421"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2420"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1843"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:1842"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W834-CF6P-9M9W

Vulnerability from github – Published: 2026-07-02 19:44 – Updated: 2026-07-02 19:44
VLAI
Summary
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks
Details

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node processes blocks on any Zcash network.

Summary

The finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits) within the same block. A consensus-valid block containing a long chain of same-address transparent self-spends can cause the intermediate per-address balance during the credit pass to exceed MAX_MONEY, triggering a panic in the finalized state writer.

Because the triggering block is consensus-valid (zcashd accepts it), the panic recurs on restart when the node re-encounters the same block. This creates a persistent chain halt that can only be resolved by a software patch.

Details

The finalized state writer at zebra-state/src/service/finalized_state/zebra_db/transparent.rs iterates all transaction outputs in a block and credits them to per-address balances before iterating inputs and debiting spent outputs. When a block contains many transparent self-spends to the same address, the intermediate credit-only balance can exceed the MAX_MONEY supply cap even though the final net balance (credits minus debits) is valid.

The code panics on the intermediate overflow via .expect() on the balance addition. Under Zebra's panic = "abort" release profile, this terminates the process. On restart, the node re-downloads and re-processes the same consensus-valid block, triggering the same panic.

An attacker with approximately 1,100–2,100 ZEC and mining capability can construct a block that permanently halts all Zebra nodes. The attacker recovers their capital (the self-spends return funds to the same address), so the net cost is the mining effort only.

Patches

Patched in Zebra 4.4.2. The fix processes credits and debits together per transaction rather than all credits then all debits, matching zcashd's approach.

Workarounds

No workaround is available. Upgrade to Zebra 4.4.2.

Impact

A single consensus-valid mined block can permanently halt all Zebra nodes on the network. The halt persists across restarts. Recovery requires deploying a patched version. Downstream consumers (light wallets, exchanges, mining infrastructure) lose service for the duration of the halt.

Credit

Reported by @sangsoo-osec.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-state"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T19:44:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your node processes blocks on any Zcash network.\n\n### Summary\n\nThe finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits) within the same block. A consensus-valid block containing a long chain of same-address transparent self-spends can cause the intermediate per-address balance during the credit pass to exceed `MAX_MONEY`, triggering a panic in the finalized state writer.\n\nBecause the triggering block is consensus-valid (zcashd accepts it), the panic recurs on restart when the node re-encounters the same block. This creates a persistent chain halt that can only be resolved by a software patch.\n\n### Details\n\nThe finalized state writer at `zebra-state/src/service/finalized_state/zebra_db/transparent.rs` iterates all transaction outputs in a block and credits them to per-address balances before iterating inputs and debiting spent outputs. When a block contains many transparent self-spends to the same address, the intermediate credit-only balance can exceed the `MAX_MONEY` supply cap even though the final net balance (credits minus debits) is valid.\n\nThe code panics on the intermediate overflow via `.expect()` on the balance addition. Under Zebra\u0027s `panic = \"abort\"` release profile, this terminates the process. On restart, the node re-downloads and re-processes the same consensus-valid block, triggering the same panic.\n\nAn attacker with approximately 1,100\u20132,100 ZEC and mining capability can construct a block that permanently halts all Zebra nodes. The attacker recovers their capital (the self-spends return funds to the same address), so the net cost is the mining effort only.\n\n### Patches\n\nPatched in Zebra 4.4.2. The fix processes credits and debits together per transaction rather than all credits then all debits, matching zcashd\u0027s approach.\n\n### Workarounds\n\nNo workaround is available. Upgrade to Zebra 4.4.2.\n\n### Impact\n\nA single consensus-valid mined block can permanently halt all Zebra nodes on the network. The halt persists across restarts. Recovery requires deploying a patched version. Downstream consumers (light wallets, exchanges, mining infrastructure) lose service for the duration of the halt.\n\n### Credit\n\nReported by `@sangsoo-osec`.",
  "id": "GHSA-w834-cf6p-9m9w",
  "modified": "2026-07-02T19:44:54Z",
  "published": "2026-07-02T19:44:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-w834-cf6p-9m9w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zebra: Finalized address balance credit-first overflow on consensus-valid blocks"
}

GHSA-W87H-5V33-3C9X

Vulnerability from github – Published: 2025-12-02 03:31 – Updated: 2025-12-02 15:30
VLAI
Details

In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-02T03:16:17Z",
    "severity": "MODERATE"
  },
  "details": "In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647.",
  "id": "GHSA-w87h-5v33-3c9x",
  "modified": "2025-12-02T15:30:30Z",
  "published": "2025-12-02T03:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20758"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCXC-JF6C-8RX9

Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2026-01-23 22:32
VLAI
Summary
Duplicate Advisory: Uncaught Exception in libpulse-binding
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-xvcg-2q82-r87j. This link is maintained to preserve external references.

Original Description

Affected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which is a form of UB. This flaw was corrected by [this commit][1] which was included in version 2.6.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libpulse-binding"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:24:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xvcg-2q82-r87j. This link is maintained to preserve external references.\n\n## Original Description\nAffected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which\nis a form of UB. This flaw was corrected by [this commit][1] which was included in version 2.6.0.",
  "id": "GHSA-wcxc-jf6c-8rx9",
  "modified": "2026-01-23T22:32:51Z",
  "published": "2021-08-25T20:57:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jnqnfe/pulse-binding-rust/commit/7fd282aef7787577c385aed88cb25d004b85f494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jnqnfe/pulse-binding-rust"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2019-0038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Duplicate Advisory: Uncaught Exception in libpulse-binding",
  "withdrawn": "2026-01-23T22:32:51Z"
}

GHSA-WFF4-FPWG-QQV3

Vulnerability from github – Published: 2022-08-30 20:38 – Updated: 2022-09-08 14:17
VLAI
Summary
Unexpected server crash in Next.js
Details

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

  • Affected: All of the following must be true to be affected by this CVE
  • Node.js version above v15.0.0 being used with strict unhandledRejection exiting
  • Next.js version v12.2.3
  • Using next start or a custom server

  • Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn't being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.2.3"
            },
            {
              "fixed": "12.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "12.2.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-30T20:38:34Z",
    "nvd_published_at": "2022-08-31T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen specific requests are made to the Next.js server it can cause an `unhandledRejection` in the server which can crash the process to exit in specific Node.js versions with strict `unhandledRejection` handling. \n\n- Affected: All of the following must be true to be affected by this CVE\n  - Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting\n  - Next.js version v12.2.3\n  - Using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server)\n \n- Not affected: Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn\u0027t being shared across requests.\n\n### Patches\nhttps://github.com/vercel/next.js/releases/tag/v12.2.4\n",
  "id": "GHSA-wff4-fpwg-qqv3",
  "modified": "2022-09-08T14:17:38Z",
  "published": "2022-08-30T20:38:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v12.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unexpected server crash in Next.js"
}

GHSA-WHHR-7F2W-QQJ2

Vulnerability from github – Published: 2023-09-21 17:10 – Updated: 2026-03-11 20:35
VLAI
Summary
phonenumber panics on parsing crafted RFC3966 inputs
Details

Impact

The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.

In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=.

Patches

Patches will be published as version 0.3.3+8.13.9 and backported as 0.2.5+8.11.3.

Workarounds

n.a.

References

n.a.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "phonenumber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "phonenumber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-248",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T17:10:57Z",
    "nvd_published_at": "2023-09-19T15:15:56Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.\n\nIn a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`.\n\n### Patches\nPatches will be published as version `0.3.3+8.13.9` and backported as `0.2.5+8.11.3`.\n\n### Workarounds\nn.a.\n\n### References\nn.a.",
  "id": "GHSA-whhr-7f2w-qqj2",
  "modified": "2026-03-11T20:35:22Z",
  "published": "2023-09-21T17:10:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42444"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/whisperfish/rust-phonenumber"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0082.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phonenumber panics on parsing crafted RFC3966 inputs"
}

GHSA-WJJJ-24CX-F28G

Vulnerability from github – Published: 2026-07-01 20:04 – Updated: 2026-07-01 20:04
VLAI
Summary
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
Details

A single unauthenticated WebSocket message to /rpc crashed the SurrealDB server. Sending use { db: "x" } without first selecting a namespace hit .expect("namespace should be set") in the use handler; because surrealdb-core is built with panic = 'abort', the panic terminated the process. use is callable before signin, and the per-method capability check passes by default for guest callers — so no credentials, token, or --allow-guests flag are required.

Impact

An unauthenticated remote attacker who could reach the /rpc endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.

Patches

A patch has been introduced that returns a typed invalid_params response when db is set on a session with no ns, replacing the panic.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update should restrict network access to the /rpc endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:04:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A single unauthenticated WebSocket message to `/rpc` crashed the SurrealDB server. Sending `use { db: \"x\" }` without first selecting a namespace hit `.expect(\"namespace should be set\")` in the `use` handler; because `surrealdb-core` is built with `panic = \u0027abort\u0027`, the panic terminated the process. `use` is callable before `signin`, and the per-method capability check passes by default for guest callers \u2014 so no credentials, token, or `--allow-guests` flag are required.\n\n### Impact\n\nAn unauthenticated remote attacker who could reach the `/rpc` endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.\n\n### Patches\n\nA patch has been introduced that returns a typed `invalid_params` response when `db` is set on a session with no `ns`, replacing the panic.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update should restrict network access to the `/rpc` endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.",
  "id": "GHSA-wjjj-24cx-f28g",
  "modified": "2026-07-01T20:04:22Z",
  "published": "2026-07-01T20:04:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-wjjj-24cx-f28g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/1537ec4fbd789c61a5b43b648a854577dbe31a34"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has unauthenticated remote DoS via malformed RPC `use` call"
}

GHSA-WM7H-9275-46V2

Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2023-08-28 14:22
VLAI
Summary
Crash in HeaderParser in dicer
Details

This affects all versions of the package dicer. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dicer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:dicer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T20:22:41Z",
    "nvd_published_at": "2022-05-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of the package `dicer`. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.",
  "id": "GHSA-wm7h-9275-46v2",
  "modified": "2023-08-28T14:22:54Z",
  "published": "2022-05-21T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mscdex/busboy/issues/250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mscdex/dicer/pull/22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mscdex/dicer"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crash in HeaderParser in dicer"
}

GHSA-WP73-MWGF-4JQ9

Vulnerability from github – Published: 2026-05-18 17:56 – Updated: 2026-06-09 10:57
VLAI
Summary
OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent
Details

Summary

OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.

Details

matchExeSymbolsiterates over sections and uses offsets/symbol names from the unvalidated fastelfcontext; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165

GetCStringUnsafe and ReadStruct perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213

NewElfContextFromDatatrusts Shoff/Shnum/Phnumfrom the ELF header, converting them to intand populating sections/segments without validating offsets or ensuring ReadStructreturned non-nil.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296

Malformed ELF metadata can therefore crash OBI during normal process discovery.

PoC

Local testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current HEAD still panics in exactly the same way.

Use a vulnerable build:

git checkout v0.0.0-rc.1+build
make build

Create a small valid ELF and then corrupt its section-header metadata:

cat >/tmp/hello.c <<'EOF'
int main(void) { return 0; }
EOF
cc -o /tmp/hello /tmp/hello.c
cp /tmp/hello /tmp/hello-bad
printf '\xff\xff' | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc

Run the malformed executable so OBI inspects it during process discovery:

chmod +x /tmp/hello-bad
/tmp/hello-bad &

Start OBI or trigger a rescan of processes:

sudo ./bin/obi

On a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before GetCStringUnsafe and related section lookups.

Impact

This is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/obi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:56:06Z",
    "nvd_published_at": "2026-06-02T16:16:42Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOBI\u0027s replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.\n\n### Details\n\n`matchExeSymbols `iterates over sections and uses offsets/symbol names from the unvalidated `fastelf `context; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165\n\n`GetCStringUnsafe` and `ReadStruct` perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213\n\n`NewElfContextFromData `trusts `Shoff`/`Shnum`/`Phnum `from the ELF header, converting them to `int `and populating sections/segments without validating offsets or ensuring `ReadStruct `returned non-nil.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296\n\nMalformed ELF metadata can therefore crash OBI during normal process discovery.\n\n### PoC\n\nLocal testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current `HEAD` still panics in exactly the same way.\n\nUse a vulnerable build:\n\n```bash\ngit checkout v0.0.0-rc.1+build\nmake build\n```\n\nCreate a small valid ELF and then corrupt its section-header metadata:\n\n```bash\ncat \u003e/tmp/hello.c \u003c\u003c\u0027EOF\u0027\nint main(void) { return 0; }\nEOF\ncc -o /tmp/hello /tmp/hello.c\ncp /tmp/hello /tmp/hello-bad\nprintf \u0027\\xff\\xff\u0027 | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc\n```\n\nRun the malformed executable so OBI inspects it during process discovery:\n\n```bash\nchmod +x /tmp/hello-bad\n/tmp/hello-bad \u0026\n```\n\nStart OBI or trigger a rescan of processes:\n\n```bash\nsudo ./bin/obi\n```\n\nOn a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before `GetCStringUnsafe` and related section lookups.\n\n### Impact\n\nThis is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.",
  "id": "GHSA-wp73-mwgf-4jq9",
  "modified": "2026-06-09T10:57:54Z",
  "published": "2026-05-18T17:56:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-wp73-mwgf-4jq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45676"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent"
}

GHSA-WV7R-XG3P-CCR7

Vulnerability from github – Published: 2026-04-27 12:30 – Updated: 2026-04-27 12:30
VLAI
Details

Insufficient parameter verification leads to the occurrence of format errors in files, which will trigger an unhandled "std::invalid_argument" exception, ultimately causing the program to terminate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T12:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient parameter verification leads to the occurrence of format errors in files, which will trigger an unhandled \"std::invalid_argument\" exception, ultimately causing the program to terminate.",
  "id": "GHSA-wv7r-xg3p-ccr7",
  "modified": "2026-04-27T12:30:38Z",
  "published": "2026-04-27T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5937"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.