CWE-617
AllowedReachable Assertion
Abstraction: Base · Status: Draft
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
989 vulnerabilities reference this CWE, most recent first.
GHSA-8RCJ-C8PJ-V3M3
Vulnerability from github – Published: 2022-02-09 23:55 – Updated: 2024-11-13 22:40Impact
When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.
Patches
We have patched the issue in GitHub commit 14fea662350e7c26eb5fe1be2ac31704e5682ee6.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-23564"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-03T21:00:20Z",
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.\n\n### Patches\nWe have patched the issue in GitHub commit [14fea662350e7c26eb5fe1be2ac31704e5682ee6](https://github.com/tensorflow/tensorflow/commit/14fea662350e7c26eb5fe1be2ac31704e5682ee6).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-8rcj-c8pj-v3m3",
"modified": "2024-11-13T22:40:32Z",
"published": "2022-02-09T23:55:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8rcj-c8pj-v3m3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23564"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/14fea662350e7c26eb5fe1be2ac31704e5682ee6"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-73.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-128.yaml"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Reachable Assertion in Tensorflow"
}
GHSA-8V5C-CHFG-FCJX
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2024-01-23 18:31An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.
{
"affected": [],
"aliases": [
"CVE-2021-32037"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-24T16:15:00Z",
"severity": "MODERATE"
},
"details": "An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.",
"id": "GHSA-8v5c-chfg-fcjx",
"modified": "2024-01-23T18:31:10Z",
"published": "2022-05-24T19:21:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32037"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-59071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8V66-G29X-3VXG
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:45ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).
{
"affected": [],
"aliases": [
"CVE-2017-14649"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-21T17:29:00Z",
"severity": "MODERATE"
},
"details": "ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).",
"id": "GHSA-8v66-g29x-3vxg",
"modified": "2025-04-20T03:45:42Z",
"published": "2022-05-13T01:43:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14649"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/09/19/graphicsmagick-assertion-failure-in-pixel_cache-c"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/graphicsmagick/bugs/439"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4232-1"
},
{
"type": "WEB",
"url": "http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100958"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8V9P-FGH7-HRP2
Vulnerability from github – Published: 2026-06-10 09:31 – Updated: 2026-06-10 09:31A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-29115"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T07:16:25Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.",
"id": "GHSA-8v9p-fgh7-hrp2",
"modified": "2026-06-10T09:31:57Z",
"published": "2026-06-10T09:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29115"
},
{
"type": "WEB",
"url": "https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psirt/dhcc-sa-202606-001:-security-advisory-%E2%80%93-vulnerabilities-found-in-some-dahua-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8V9W-P43C-R885
Vulnerability from github – Published: 2022-06-21 20:12 – Updated: 2022-06-29 21:42Impact
When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.
This is a security concern for you, if - your service parses untrusted rulex expressions (expressions provided by an untrusted user), and - your service becomes unavailable when the thread running rulex panics.
Patches
The crashes are fixed in version 0.4.3. Affected users are advised to update to this version.
Workarounds
You can use catch_unwind to recover from panics.
For more information
If you have any questions or comments about this advisory: * Open an issue in rulex * Email me at ludwig.stecher@gmx.de
Credits
Credit for finding these bugs goes to
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rulex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31100"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-21T20:12:15Z",
"nvd_published_at": "2022-06-27T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.\n\nThis is a security concern for you, if\n- your service parses untrusted rulex expressions (expressions provided by an untrusted user), and\n- your service becomes unavailable when the thread running rulex panics.\n\n### Patches\nThe crashes are fixed in version **0.4.3**. Affected users are advised to update to this version.\n\n### Workarounds\nYou can use `catch_unwind` to recover from panics.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [rulex](https://github.com/rulex-rs/rulex/issues)\n* Email me at [ludwig.stecher@gmx.de](mailto:ludwig.stecher@gmx.de)\n\n### Credits\n\nCredit for finding these bugs goes to\n\n- [cargo fuzz](https://github.com/rust-fuzz/cargo-fuzz) and [afl.rs](https://github.com/rust-fuzz/afl.rs)\n- [evanrichter](https://github.com/evanrichter)\n- [ForAllSecure Mayhem](https://forallsecure.com/)",
"id": "GHSA-8v9w-p43c-r885",
"modified": "2022-06-29T21:42:56Z",
"published": "2022-06-21T20:12:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rulex-rs/rulex/security/advisories/GHSA-8v9w-p43c-r885"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31100"
},
{
"type": "WEB",
"url": "https://github.com/rulex-rs/rulex/commit/fac6d58b25c6f9f8c0a6cdc4dec75b37b219f1d6"
},
{
"type": "PACKAGE",
"url": "https://github.com/rulex-rs/rulex"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0031.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Reachable Assertion in rulex"
}
GHSA-8VP9-52J5-GHQW
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.
{
"affected": [],
"aliases": [
"CVE-2021-46179"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:21Z",
"severity": "MODERATE"
},
"details": "Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.",
"id": "GHSA-8vp9-52j5-ghqw",
"modified": "2024-04-04T07:06:52Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46179"
},
{
"type": "WEB",
"url": "https://github.com/upx/upx/issues/545"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8VVG-HJ6F-Q4WJ
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.
{
"affected": [],
"aliases": [
"CVE-2017-7539"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-26T14:29:00Z",
"severity": "HIGH"
},
"details": "An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server\u0027s initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.",
"id": "GHSA-8vvg-hj6f-q4wj",
"modified": "2022-05-13T01:07:32Z",
"published": "2022-05-13T01:07:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7539"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2628"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3466"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3470"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3471"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3472"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3473"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3474"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-7539"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473622"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7539"
},
{
"type": "WEB",
"url": "https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b"
},
{
"type": "WEB",
"url": "https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=ff82911cd3f69f028f2537825c9720ff78bc3f19"
},
{
"type": "WEB",
"url": "https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b"
},
{
"type": "WEB",
"url": "https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ff82911cd3f69f028f2537825c9720ff78bc3f19"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/07/21/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99944"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W48-7HCW-QCCW
Vulnerability from github – Published: 2022-03-03 00:00 – Updated: 2022-03-17 00:04There is an Assertion `num <= INT_BIT' failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.
{
"affected": [],
"aliases": [
"CVE-2021-45861"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-02T00:15:00Z",
"severity": "MODERATE"
},
"details": "There is an Assertion `num \u003c= INT_BIT\u0027 failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.",
"id": "GHSA-8w48-7hcw-qccw",
"modified": "2022-03-17T00:04:21Z",
"published": "2022-03-03T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45861"
},
{
"type": "WEB",
"url": "https://github.com/justdan96/tsMuxer/issues/478"
},
{
"type": "WEB",
"url": "https://github.com/justdan96/tsMuxer/pull/481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W5Q-7H44-9VH9
Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-29 12:30Reachable Assertion vulnerability in Open5GS up to version 2.7.5 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.
{
"affected": [],
"aliases": [
"CVE-2025-41068"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T13:15:45Z",
"severity": "HIGH"
},
"details": "Reachable Assertion vulnerability in Open5GS up to version 2.7.5 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.",
"id": "GHSA-8w5q-7h44-9vh9",
"modified": "2025-10-29T12:30:25Z",
"published": "2025-10-27T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41068"
},
{
"type": "WEB",
"url": "https://open5gs.org/open5gs/release/2025/03/30/release-v2.7.5.html"
},
{
"type": "WEB",
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8W8F-R2XV-4Q4J
Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to transit/keys/* can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-*, ecdsa-*, ed25519)
with derived: true. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.
Mount the transit engine:
`curl -sS -X POST -H "X-Vault-Token: root" \
-d '{"type":"transit"}' \
http://127.0.0.1:8200/v1/sys/mounts/transit`
Trigger the crash:
`curl -sS -w '\nHTTP %{http_code}\n' -X POST \
-H "X-Vault-Token: root" \
-H "Content-Type: application/json" \
-d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \
http://127.0.0.1:8200/v1/transit/keys/some-key-name`
You can try with both JSON or HCL It will crash the entire cluster.
Observed: HTTP 000 curl: (52) Empty reply from server
$ docker ps -a --filter name=openbao
STATUS: Exited (2)
Root Cause (Hypothesis)
Key-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When derived: true is supplied alongside an asymmetric type, the creation path likely panics on a missing derived-key field or
invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit policy.go / key-creation path.
Suggested fix:
Validate the (type, derived) combination at the top of the create-key handler. Reject with a 400 if derived: true is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305,
xchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"last_affected": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260617104123-db57c62602b2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55776"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:42:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to `transit/keys/*` can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric `type` (`rsa-*`, `ecdsa-*`, `ed25519`)\nwith `derived: true`. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.\n\n\nMount the transit engine:\n\n `curl -sS -X POST -H \"X-Vault-Token: root\" \\\n -d \u0027{\"type\":\"transit\"}\u0027 \\\n http://127.0.0.1:8200/v1/sys/mounts/transit`\n\nTrigger the crash:\n\n `curl -sS -w \u0027\\nHTTP %{http_code}\\n\u0027 -X POST \\\n -H \"X-Vault-Token: root\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"type\":\"rsa-2048\",\"derived\":true,\"exportable\":true,\"deletion_allowed\":false}\u0027 \\\n http://127.0.0.1:8200/v1/transit/keys/some-key-name`\n\nYou can try with both JSON or HCL It will crash the entire cluster.\n\n Observed:\n HTTP 000\n curl: (52) Empty reply from server\n\n $ docker ps -a --filter name=openbao\n STATUS: Exited (2)\n\nRoot Cause (Hypothesis)\nKey-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When `derived: true` is supplied alongside an asymmetric `type`, the creation path likely panics on a missing derived-key field or\n invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit `policy.go` / key-creation path.\n\nSuggested fix:\nValidate the (`type`, `derived`) combination at the top of the create-key handler. Reject with a 400 if `derived: true` is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305,\nxchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.",
"id": "GHSA-8w8f-r2xv-4q4j",
"modified": "2026-06-19T21:42:09Z",
"published": "2026-06-19T21:42:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-8w8f-r2xv-4q4j"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/pull/3309"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/db57c62602b25da12951f3f0edb888e7c4da61e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/releases/tag/v2.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types"
}
Mitigation
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Mitigation
Strategy: Input Validation
Perform input validation on user data.
No CAPEC attack patterns related to this CWE.