Out-of-bounds Read Affecting ruzstd package, versions >0.7.0 <0.7.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-RUZSTD-8444383
  • published29 Nov 2024
  • disclosed28 Nov 2024
  • creditUnknown

Introduced: 28 Nov 2024

CVE NOT AVAILABLE CWE-125  (opens in a new tab)

How to fix?

Upgrade ruzstd to version 0.7.3 or higher.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Read due to the copy_bytes_overshooting process. An attacker can read up to 15 bytes of uninitialized or out-of-bounds memory, potentially leading to sensitive information disclosure by decompressing a specially crafted archive.

CVSS Scores

version 4.0
version 3.1