Common Weakness Enumeration

CWE-617

Allowed

Reachable Assertion

Abstraction: Base · Status: Draft

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

989 vulnerabilities reference this CWE, most recent first.

GHSA-8RCJ-C8PJ-V3M3

Vulnerability from github – Published: 2022-02-09 23:55 – Updated: 2024-11-13 22:40
VLAI
Summary
Reachable Assertion in Tensorflow
Details

Impact

When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.

Patches

We have patched the issue in GitHub commit 14fea662350e7c26eb5fe1be2ac31704e5682ee6.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-03T21:00:20Z",
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.\n\n### Patches\nWe have patched the issue in GitHub commit [14fea662350e7c26eb5fe1be2ac31704e5682ee6](https://github.com/tensorflow/tensorflow/commit/14fea662350e7c26eb5fe1be2ac31704e5682ee6).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
  "id": "GHSA-8rcj-c8pj-v3m3",
  "modified": "2024-11-13T22:40:32Z",
  "published": "2022-02-09T23:55:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8rcj-c8pj-v3m3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/14fea662350e7c26eb5fe1be2ac31704e5682ee6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-73.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-128.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Reachable Assertion in Tensorflow"
}

GHSA-8V5C-CHFG-FCJX

Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2024-01-23 18:31
VLAI
Details

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-24T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.",
  "id": "GHSA-8v5c-chfg-fcjx",
  "modified": "2024-01-23T18:31:10Z",
  "published": "2022-05-24T19:21:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32037"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-59071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8V66-G29X-3VXG

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:45
VLAI
Details

ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-21T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).",
  "id": "GHSA-8v66-g29x-3vxg",
  "modified": "2025-04-20T03:45:42Z",
  "published": "2022-05-13T01:43:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14649"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/09/19/graphicsmagick-assertion-failure-in-pixel_cache-c"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/graphicsmagick/bugs/439"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4232-1"
    },
    {
      "type": "WEB",
      "url": "http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100958"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8V9P-FGH7-HRP2

Vulnerability from github – Published: 2026-06-10 09:31 – Updated: 2026-06-10 09:31
VLAI
Details

A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-29115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T07:16:25Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service.",
  "id": "GHSA-8v9p-fgh7-hrp2",
  "modified": "2026-06-10T09:31:57Z",
  "published": "2026-06-10T09:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29115"
    },
    {
      "type": "WEB",
      "url": "https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psirt/dhcc-sa-202606-001:-security-advisory-%E2%80%93-vulnerabilities-found-in-some-dahua-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8V9W-P43C-R885

Vulnerability from github – Published: 2022-06-21 20:12 – Updated: 2022-06-29 21:42
VLAI
Summary
Reachable Assertion in rulex
Details

Impact

When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.

This is a security concern for you, if - your service parses untrusted rulex expressions (expressions provided by an untrusted user), and - your service becomes unavailable when the thread running rulex panics.

Patches

The crashes are fixed in version 0.4.3. Affected users are advised to update to this version.

Workarounds

You can use catch_unwind to recover from panics.

For more information

If you have any questions or comments about this advisory: * Open an issue in rulex * Email me at ludwig.stecher@gmx.de

Credits

Credit for finding these bugs goes to

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rulex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-21T20:12:15Z",
    "nvd_published_at": "2022-06-27T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.\n\nThis is a security concern for you, if\n- your service parses untrusted rulex expressions (expressions provided by an untrusted user), and\n- your service becomes unavailable when the thread running rulex panics.\n\n### Patches\nThe crashes are fixed in version **0.4.3**. Affected users are advised to update to this version.\n\n### Workarounds\nYou can use `catch_unwind` to recover from panics.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [rulex](https://github.com/rulex-rs/rulex/issues)\n* Email me at [ludwig.stecher@gmx.de](mailto:ludwig.stecher@gmx.de)\n\n### Credits\n\nCredit for finding these bugs goes to\n\n- [cargo fuzz](https://github.com/rust-fuzz/cargo-fuzz) and [afl.rs](https://github.com/rust-fuzz/afl.rs)\n- [evanrichter](https://github.com/evanrichter)\n- [ForAllSecure Mayhem](https://forallsecure.com/)",
  "id": "GHSA-8v9w-p43c-r885",
  "modified": "2022-06-29T21:42:56Z",
  "published": "2022-06-21T20:12:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rulex-rs/rulex/security/advisories/GHSA-8v9w-p43c-r885"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31100"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rulex-rs/rulex/commit/fac6d58b25c6f9f8c0a6cdc4dec75b37b219f1d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rulex-rs/rulex"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0031.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reachable Assertion in rulex"
}

GHSA-8VP9-52J5-GHQW

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06
VLAI
Details

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.",
  "id": "GHSA-8vp9-52j5-ghqw",
  "modified": "2024-04-04T07:06:52Z",
  "published": "2023-08-22T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46179"
    },
    {
      "type": "WEB",
      "url": "https://github.com/upx/upx/issues/545"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VVG-HJ6F-Q4WJ

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-26T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server\u0027s initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.",
  "id": "GHSA-8vvg-hj6f-q4wj",
  "modified": "2022-05-13T01:07:32Z",
  "published": "2022-05-13T01:07:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7539"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2628"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3466"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3470"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3471"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3472"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3473"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3474"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2017-7539"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473622"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7539"
    },
    {
      "type": "WEB",
      "url": "https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b"
    },
    {
      "type": "WEB",
      "url": "https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=ff82911cd3f69f028f2537825c9720ff78bc3f19"
    },
    {
      "type": "WEB",
      "url": "https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b"
    },
    {
      "type": "WEB",
      "url": "https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ff82911cd3f69f028f2537825c9720ff78bc3f19"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/07/21/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99944"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8W48-7HCW-QCCW

Vulnerability from github – Published: 2022-03-03 00:00 – Updated: 2022-03-17 00:04
VLAI
Details

There is an Assertion `num <= INT_BIT' failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-02T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is an Assertion `num \u003c= INT_BIT\u0027 failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.",
  "id": "GHSA-8w48-7hcw-qccw",
  "modified": "2022-03-17T00:04:21Z",
  "published": "2022-03-03T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45861"
    },
    {
      "type": "WEB",
      "url": "https://github.com/justdan96/tsMuxer/issues/478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/justdan96/tsMuxer/pull/481"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8W5Q-7H44-9VH9

Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-29 12:30
VLAI
Details

Reachable Assertion vulnerability in Open5GS up to version 2.7.5 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T13:15:45Z",
    "severity": "HIGH"
  },
  "details": "Reachable Assertion vulnerability in Open5GS up to version 2.7.5 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.",
  "id": "GHSA-8w5q-7h44-9vh9",
  "modified": "2025-10-29T12:30:25Z",
  "published": "2025-10-27T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41068"
    },
    {
      "type": "WEB",
      "url": "https://open5gs.org/open5gs/release/2025/03/30/release-v2.7.5.html"
    },
    {
      "type": "WEB",
      "url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8W8F-R2XV-4Q4J

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types
Details

On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to transit/keys/* can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-*, ecdsa-*, ed25519) with derived: true. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.

Mount the transit engine:

 `curl -sS -X POST -H "X-Vault-Token: root" \
   -d '{"type":"transit"}' \
   http://127.0.0.1:8200/v1/sys/mounts/transit`

Trigger the crash:

 `curl -sS -w '\nHTTP %{http_code}\n' -X POST \
   -H "X-Vault-Token: root" \
   -H "Content-Type: application/json" \
   -d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \
   http://127.0.0.1:8200/v1/transit/keys/some-key-name`

You can try with both JSON or HCL It will crash the entire cluster.

Observed: HTTP 000 curl: (52) Empty reply from server

 $ docker ps -a --filter name=openbao
 STATUS: Exited (2)

Root Cause (Hypothesis) Key-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When derived: true is supplied alongside an asymmetric type, the creation path likely panics on a missing derived-key field or invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit policy.go / key-creation path.

Suggested fix: Validate the (type, derived) combination at the top of the create-key handler. Reject with a 400 if derived: true is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305, xchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "last_affected": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260617104123-db57c62602b2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to `transit/keys/*` can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric `type` (`rsa-*`, `ecdsa-*`, `ed25519`)\nwith `derived: true`. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.\n\n\nMount the transit engine:\n\n     `curl -sS -X POST -H \"X-Vault-Token: root\" \\\n       -d \u0027{\"type\":\"transit\"}\u0027 \\\n       http://127.0.0.1:8200/v1/sys/mounts/transit`\n\nTrigger the crash:\n\n     `curl -sS -w \u0027\\nHTTP %{http_code}\\n\u0027 -X POST \\\n       -H \"X-Vault-Token: root\" \\\n       -H \"Content-Type: application/json\" \\\n       -d \u0027{\"type\":\"rsa-2048\",\"derived\":true,\"exportable\":true,\"deletion_allowed\":false}\u0027 \\\n       http://127.0.0.1:8200/v1/transit/keys/some-key-name`\n\nYou can try with both JSON or HCL It will crash the entire cluster.\n\n  Observed:\n     HTTP 000\n     curl: (52) Empty reply from server\n\n     $ docker ps -a --filter name=openbao\n     STATUS: Exited (2)\n\nRoot Cause (Hypothesis)\nKey-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When `derived: true` is supplied alongside an asymmetric `type`, the creation path likely panics on a missing derived-key field or\n  invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit `policy.go` / key-creation path.\n\nSuggested fix:\nValidate the (`type`, `derived`) combination at the top of the create-key handler. Reject with a 400 if `derived: true` is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305,\nxchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.",
  "id": "GHSA-8w8f-r2xv-4q4j",
  "modified": "2026-06-19T21:42:09Z",
  "published": "2026-06-19T21:42:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-8w8f-r2xv-4q4j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/3309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/db57c62602b25da12951f3f0edb888e7c4da61e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.5.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types"
}

Mitigation
Implementation

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Mitigation
Implementation

Strategy: Input Validation

Perform input validation on user data.

No CAPEC attack patterns related to this CWE.