Main Vulnerability Database Vulnerabilities #VU20060

#VU20060 Race condition in Zstandard - CVE-2019-11922

Published: August 12, 2019

Vulnerability identifier: #VU20060

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-11922

CWE-ID: CWE-362

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zstandard

Software vendor:
Facebook Inc.

Description

The vulnerability allows an attacker to execute arbitrary code on the target system.

The vulnerability exists due to a race condition in the one-pass compression functions. A remote attacker can exploit the race and write bytes out of bounds if an output buffer smaller than the recommended size was used.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.

Remediation

Install updates from vendor's website.

External links

https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
https://www.facebook.com/security/advisories/cve-2019-11922