Main Vulnerability Database Vulnerabilities #VU20060

Race condition in Zstandard - CVE-2019-11922

Published: August 12, 2019

Vulnerability identifier: #VU20060

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-11922

CWE-ID: CWE-362

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Facebook Inc.

Affected software:
Zstandard

Detailed vulnerability description

The vulnerability allows an attacker to execute arbitrary code on the target system.

The vulnerability exists due to a race condition in the one-pass compression functions. A remote attacker can exploit the race and write bytes out of bounds if an output buffer smaller than the recommended size was used.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.

How to mitigate CVE-2019-11922

Install updates from vendor's website.

Sources

https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
https://www.facebook.com/security/advisories/cve-2019-11922

Race condition in Zstandard - CVE-2019-11922

Detailed vulnerability description

How to mitigate CVE-2019-11922

Sources

Please verify you're human