Main Vulnerability Database SB2024042361

SB2024042361 - Incorrect calculation in Synapse

Published: April 23, 2024 Updated: April 23, 2026

Security Bulletin ID SB2024042361

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect calculation (CVE-ID: CVE-2024-31208)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper calculation of the auth chain cover index in auth chain indexing when processing specially crafted events from a remote room member. A remote user can send specially crafted events to cause a denial of service.

Exploitation can lead to disk fill and high CPU usage. Servers in private federations, or those that do not federate, are not affected.

Remediation

Install update from vendor's website.

References

https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v