CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-W2PG-HW7V-F7M9
Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-06-30 03:35A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
{
"affected": [],
"aliases": [
"CVE-2025-59465"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T21:16:04Z",
"severity": "HIGH"
},
"details": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n socket.on(\u0027error\u0027, err =\u003e {\n console.log(err)\n })\n})\n```",
"id": "GHSA-w2pg-hw7v-f7m9",
"modified": "2026-06-30T03:35:27Z",
"published": "2026-01-20T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59465.json"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2899"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2864"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2783"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2781"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2768"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2422"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2421"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2420"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W834-CF6P-9M9W
Vulnerability from github – Published: 2026-07-02 19:44 – Updated: 2026-07-02 19:44Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your node processes blocks on any Zcash network.
Summary
The finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits) within the same block. A consensus-valid block containing a long chain of same-address transparent self-spends can cause the intermediate per-address balance during the credit pass to exceed MAX_MONEY, triggering a panic in the finalized state writer.
Because the triggering block is consensus-valid (zcashd accepts it), the panic recurs on restart when the node re-encounters the same block. This creates a persistent chain halt that can only be resolved by a software patch.
Details
The finalized state writer at zebra-state/src/service/finalized_state/zebra_db/transparent.rs iterates all transaction outputs in a block and credits them to per-address balances before iterating inputs and debiting spent outputs. When a block contains many transparent self-spends to the same address, the intermediate credit-only balance can exceed the MAX_MONEY supply cap even though the final net balance (credits minus debits) is valid.
The code panics on the intermediate overflow via .expect() on the balance addition. Under Zebra's panic = "abort" release profile, this terminates the process. On restart, the node re-downloads and re-processes the same consensus-valid block, triggering the same panic.
An attacker with approximately 1,100–2,100 ZEC and mining capability can construct a block that permanently halts all Zebra nodes. The attacker recovers their capital (the self-spends return funds to the same address), so the net cost is the mining effort only.
Patches
Patched in Zebra 4.4.2. The fix processes credits and debits together per transaction rather than all credits then all debits, matching zcashd's approach.
Workarounds
No workaround is available. Upgrade to Zebra 4.4.2.
Impact
A single consensus-valid mined block can permanently halt all Zebra nodes on the network. The halt persists across restarts. Recovery requires deploying a patched version. Downstream consumers (light wallets, exchanges, mining infrastructure) lose service for the duration of the halt.
Credit
Reported by @sangsoo-osec.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "crates.io",
"name": "zebra-state"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.1"
},
"package": {
"ecosystem": "crates.io",
"name": "zebrad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52738"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T19:44:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your node processes blocks on any Zcash network.\n\n### Summary\n\nThe finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits) within the same block. A consensus-valid block containing a long chain of same-address transparent self-spends can cause the intermediate per-address balance during the credit pass to exceed `MAX_MONEY`, triggering a panic in the finalized state writer.\n\nBecause the triggering block is consensus-valid (zcashd accepts it), the panic recurs on restart when the node re-encounters the same block. This creates a persistent chain halt that can only be resolved by a software patch.\n\n### Details\n\nThe finalized state writer at `zebra-state/src/service/finalized_state/zebra_db/transparent.rs` iterates all transaction outputs in a block and credits them to per-address balances before iterating inputs and debiting spent outputs. When a block contains many transparent self-spends to the same address, the intermediate credit-only balance can exceed the `MAX_MONEY` supply cap even though the final net balance (credits minus debits) is valid.\n\nThe code panics on the intermediate overflow via `.expect()` on the balance addition. Under Zebra\u0027s `panic = \"abort\"` release profile, this terminates the process. On restart, the node re-downloads and re-processes the same consensus-valid block, triggering the same panic.\n\nAn attacker with approximately 1,100\u20132,100 ZEC and mining capability can construct a block that permanently halts all Zebra nodes. The attacker recovers their capital (the self-spends return funds to the same address), so the net cost is the mining effort only.\n\n### Patches\n\nPatched in Zebra 4.4.2. The fix processes credits and debits together per transaction rather than all credits then all debits, matching zcashd\u0027s approach.\n\n### Workarounds\n\nNo workaround is available. Upgrade to Zebra 4.4.2.\n\n### Impact\n\nA single consensus-valid mined block can permanently halt all Zebra nodes on the network. The halt persists across restarts. Recovery requires deploying a patched version. Downstream consumers (light wallets, exchanges, mining infrastructure) lose service for the duration of the halt.\n\n### Credit\n\nReported by `@sangsoo-osec`.",
"id": "GHSA-w834-cf6p-9m9w",
"modified": "2026-07-02T19:44:54Z",
"published": "2026-07-02T19:44:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-w834-cf6p-9m9w"
},
{
"type": "PACKAGE",
"url": "https://github.com/ZcashFoundation/zebra"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Zebra: Finalized address balance credit-first overflow on consensus-valid blocks"
}
GHSA-W87H-5V33-3C9X
Vulnerability from github – Published: 2025-12-02 03:31 – Updated: 2025-12-02 15:30In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647.
{
"affected": [],
"aliases": [
"CVE-2025-20758"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T03:16:17Z",
"severity": "MODERATE"
},
"details": "In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647.",
"id": "GHSA-w87h-5v33-3c9x",
"modified": "2025-12-02T15:30:30Z",
"published": "2025-12-02T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20758"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WCXC-JF6C-8RX9
Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2026-01-23 22:32Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xvcg-2q82-r87j. This link is maintained to preserve external references.
Original Description
Affected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which is a form of UB. This flaw was corrected by [this commit][1] which was included in version 2.6.0.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libpulse-binding"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:24:24Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xvcg-2q82-r87j. This link is maintained to preserve external references.\n\n## Original Description\nAffected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which\nis a form of UB. This flaw was corrected by [this commit][1] which was included in version 2.6.0.",
"id": "GHSA-wcxc-jf6c-8rx9",
"modified": "2026-01-23T22:32:51Z",
"published": "2021-08-25T20:57:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jnqnfe/pulse-binding-rust/commit/7fd282aef7787577c385aed88cb25d004b85f494"
},
{
"type": "PACKAGE",
"url": "https://github.com/jnqnfe/pulse-binding-rust"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0038.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Duplicate Advisory: Uncaught Exception in libpulse-binding",
"withdrawn": "2026-01-23T22:32:51Z"
}
GHSA-WFF4-FPWG-QQV3
Vulnerability from github – Published: 2022-08-30 20:38 – Updated: 2022-09-08 14:17Impact
When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.
- Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict
unhandledRejectionexiting - Next.js version v12.2.3
-
Using next start or a custom server
-
Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where
next-serverisn't being shared across requests.
Patches
https://github.com/vercel/next.js/releases/tag/v12.2.4
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "12.2.3"
},
{
"fixed": "12.2.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"12.2.3"
]
}
],
"aliases": [
"CVE-2022-36046"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-30T20:38:34Z",
"nvd_published_at": "2022-08-31T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen specific requests are made to the Next.js server it can cause an `unhandledRejection` in the server which can crash the process to exit in specific Node.js versions with strict `unhandledRejection` handling. \n\n- Affected: All of the following must be true to be affected by this CVE\n - Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting\n - Next.js version v12.2.3\n - Using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server)\n \n- Not affected: Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn\u0027t being shared across requests.\n\n### Patches\nhttps://github.com/vercel/next.js/releases/tag/v12.2.4\n",
"id": "GHSA-wff4-fpwg-qqv3",
"modified": "2022-09-08T14:17:38Z",
"published": "2022-08-30T20:38:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36046"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/releases/tag/v12.2.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unexpected server crash in Next.js"
}
GHSA-WHHR-7F2W-QQJ2
Vulnerability from github – Published: 2023-09-21 17:10 – Updated: 2026-03-11 20:35Impact
The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=.
Patches
Patches will be published as version 0.3.3+8.13.9 and backported as 0.2.5+8.11.3.
Workarounds
n.a.
References
n.a.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "phonenumber"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "phonenumber"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42444"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-248",
"CWE-392"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-21T17:10:57Z",
"nvd_published_at": "2023-09-19T15:15:56Z",
"severity": "HIGH"
},
"details": "### Impact\nThe phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.\n\nIn a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`.\n\n### Patches\nPatches will be published as version `0.3.3+8.13.9` and backported as `0.2.5+8.11.3`.\n\n### Workarounds\nn.a.\n\n### References\nn.a.",
"id": "GHSA-whhr-7f2w-qqj2",
"modified": "2026-03-11T20:35:22Z",
"published": "2023-09-21T17:10:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42444"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"
},
{
"type": "PACKAGE",
"url": "https://github.com/whisperfish/rust-phonenumber"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0082.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "phonenumber panics on parsing crafted RFC3966 inputs"
}
GHSA-WJJJ-24CX-F28G
Vulnerability from github – Published: 2026-07-01 20:04 – Updated: 2026-07-01 20:04A single unauthenticated WebSocket message to /rpc crashed the SurrealDB server. Sending use { db: "x" } without first selecting a namespace hit .expect("namespace should be set") in the use handler; because surrealdb-core is built with panic = 'abort', the panic terminated the process. use is callable before signin, and the per-method capability check passes by default for guest callers — so no credentials, token, or --allow-guests flag are required.
Impact
An unauthenticated remote attacker who could reach the /rpc endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.
Patches
A patch has been introduced that returns a typed invalid_params response when db is set on a session with no ns, replacing the panic.
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Affected users who are unable to update should restrict network access to the /rpc endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T20:04:22Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A single unauthenticated WebSocket message to `/rpc` crashed the SurrealDB server. Sending `use { db: \"x\" }` without first selecting a namespace hit `.expect(\"namespace should be set\")` in the `use` handler; because `surrealdb-core` is built with `panic = \u0027abort\u0027`, the panic terminated the process. `use` is callable before `signin`, and the per-method capability check passes by default for guest callers \u2014 so no credentials, token, or `--allow-guests` flag are required.\n\n### Impact\n\nAn unauthenticated remote attacker who could reach the `/rpc` endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.\n\n### Patches\n\nA patch has been introduced that returns a typed `invalid_params` response when `db` is set on a session with no `ns`, replacing the panic.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update should restrict network access to the `/rpc` endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.",
"id": "GHSA-wjjj-24cx-f28g",
"modified": "2026-07-01T20:04:22Z",
"published": "2026-07-01T20:04:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-wjjj-24cx-f28g"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/1537ec4fbd789c61a5b43b648a854577dbe31a34"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB has unauthenticated remote DoS via malformed RPC `use` call"
}
GHSA-WM7H-9275-46V2
Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2023-08-28 14:22This affects all versions of the package dicer. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dicer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:dicer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24434"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T20:22:41Z",
"nvd_published_at": "2022-05-20T20:15:00Z",
"severity": "HIGH"
},
"details": "This affects all versions of the package `dicer`. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.",
"id": "GHSA-wm7h-9275-46v2",
"modified": "2023-08-28T14:22:54Z",
"published": "2022-05-21T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434"
},
{
"type": "WEB",
"url": "https://github.com/mscdex/busboy/issues/250"
},
{
"type": "WEB",
"url": "https://github.com/mscdex/dicer/pull/22"
},
{
"type": "WEB",
"url": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
},
{
"type": "PACKAGE",
"url": "https://github.com/mscdex/dicer"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Crash in HeaderParser in dicer"
}
GHSA-WP73-MWGF-4JQ9
Vulnerability from github – Published: 2026-05-18 17:56 – Updated: 2026-06-09 10:57Summary
OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.
Details
matchExeSymbolsiterates over sections and uses offsets/symbol names from the unvalidated fastelfcontext; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165
GetCStringUnsafe and ReadStruct perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213
NewElfContextFromDatatrusts Shoff/Shnum/Phnumfrom the ELF header, converting them to intand populating sections/segments without validating offsets or ensuring ReadStructreturned non-nil.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296
Malformed ELF metadata can therefore crash OBI during normal process discovery.
PoC
Local testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current HEAD still panics in exactly the same way.
Use a vulnerable build:
git checkout v0.0.0-rc.1+build
make build
Create a small valid ELF and then corrupt its section-header metadata:
cat >/tmp/hello.c <<'EOF'
int main(void) { return 0; }
EOF
cc -o /tmp/hello /tmp/hello.c
cp /tmp/hello /tmp/hello-bad
printf '\xff\xff' | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc
Run the malformed executable so OBI inspects it during process discovery:
chmod +x /tmp/hello-bad
/tmp/hello-bad &
Start OBI or trigger a rescan of processes:
sudo ./bin/obi
On a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before GetCStringUnsafe and related section lookups.
Impact
This is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/obi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45676"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:56:06Z",
"nvd_published_at": "2026-06-02T16:16:42Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nOBI\u0027s replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.\n\n### Details\n\n`matchExeSymbols `iterates over sections and uses offsets/symbol names from the unvalidated `fastelf `context; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165\n\n`GetCStringUnsafe` and `ReadStruct` perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213\n\n`NewElfContextFromData `trusts `Shoff`/`Shnum`/`Phnum `from the ELF header, converting them to `int `and populating sections/segments without validating offsets or ensuring `ReadStruct `returned non-nil.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296\n\nMalformed ELF metadata can therefore crash OBI during normal process discovery.\n\n### PoC\n\nLocal testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current `HEAD` still panics in exactly the same way.\n\nUse a vulnerable build:\n\n```bash\ngit checkout v0.0.0-rc.1+build\nmake build\n```\n\nCreate a small valid ELF and then corrupt its section-header metadata:\n\n```bash\ncat \u003e/tmp/hello.c \u003c\u003c\u0027EOF\u0027\nint main(void) { return 0; }\nEOF\ncc -o /tmp/hello /tmp/hello.c\ncp /tmp/hello /tmp/hello-bad\nprintf \u0027\\xff\\xff\u0027 | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc\n```\n\nRun the malformed executable so OBI inspects it during process discovery:\n\n```bash\nchmod +x /tmp/hello-bad\n/tmp/hello-bad \u0026\n```\n\nStart OBI or trigger a rescan of processes:\n\n```bash\nsudo ./bin/obi\n```\n\nOn a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before `GetCStringUnsafe` and related section lookups.\n\n### Impact\n\nThis is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.",
"id": "GHSA-wp73-mwgf-4jq9",
"modified": "2026-06-09T10:57:54Z",
"published": "2026-05-18T17:56:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-wp73-mwgf-4jq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45676"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent"
}
GHSA-WV7R-XG3P-CCR7
Vulnerability from github – Published: 2026-04-27 12:30 – Updated: 2026-04-27 12:30Insufficient parameter verification leads to the occurrence of format errors in files, which will trigger an unhandled "std::invalid_argument" exception, ultimately causing the program to terminate.
{
"affected": [],
"aliases": [
"CVE-2026-5937"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-27T12:16:24Z",
"severity": "MODERATE"
},
"details": "Insufficient parameter verification leads to the occurrence of format errors in files, which will trigger an unhandled \"std::invalid_argument\" exception, ultimately causing the program to terminate.",
"id": "GHSA-wv7r-xg3p-ccr7",
"modified": "2026-04-27T12:30:38Z",
"published": "2026-04-27T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5937"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.