Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-26819 (GCVE-0-2023-26819)
Vulnerability from cvelistv5 – Published: 2025-04-19 00:00 – Updated: 2025-11-03 19:28
VLAI?
EPSS
Summary
cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.
Severity ?
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cJSON Project | cJSON |
Affected:
1.7.15
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26819",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T15:08:15.987157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T15:09:07.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:10.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "cJSON",
"vendor": "cJSON Project",
"versions": [
{
"status": "affected",
"version": "1.7.15",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cjson_project:cjson:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.7.15",
"versionStartIncluding": "1.7.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-19T21:30:22.133Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/boofish/json_bugs/tree/main/cjson"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-26819",
"datePublished": "2025-04-19T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:28:10.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-26819\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-04-19T22:15:14.103\",\"lastModified\":\"2025-11-03T20:16:00.937\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\\\"a\\\": true, \\\"b\\\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.\"},{\"lang\":\"es\",\"value\":\"cJSON 1.7.15 podr\u00eda permitir una denegaci\u00f3n de servicio a trav\u00e9s de un documento JSON manipulado como {\\\"a\\\": true, \\\"b\\\": [ null,99999999999999999999999999999999999999999999912345678901234567]}.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.9,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.4,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-440\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cjson_project:cjson:1.7.15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4BE8F553-8284-4077-A5AB-6DC1B7DCB3FF\"}]}]}],\"references\":[{\"url\":\"https://github.com/boofish/json_bugs/tree/main/cjson\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/06/msg00014.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/06/msg00014.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:28:10.065Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-26819\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-21T15:08:15.987157Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-21T15:09:02.785Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 2.9, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\"}}], \"affected\": [{\"vendor\": \"cJSON Project\", \"product\": \"cJSON\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.7.15\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://github.com/boofish/json_bugs/tree/main/cjson\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\\\"a\\\": true, \\\"b\\\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-440\", \"description\": \"CWE-440 Expected Behavior Violation\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:cjson_project:cjson:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"1.7.15\", \"versionStartIncluding\": \"1.7.15\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-04-19T21:30:22.133Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-26819\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T19:28:10.065Z\", \"dateReserved\": \"2023-02-27T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-04-19T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
SUSE-SU-2025:03520-1
Vulnerability from csaf_suse - Published: 2025-10-10 07:22 - Updated: 2025-10-10 07:22Summary
Security update for cJSON
Notes
Title of the patch
Security update for cJSON
Description of the patch
This update for cJSON fixes the following issues:
- CVE-2023-26819: Allocate memory for the temporary buffer when paring numbers (bsc#1241502)
- CVE-2025-57052: Fix the incorrect check in decode_array_index_from_pointer (bsc#1249112)
Patchnames
SUSE-2025-3520,SUSE-SLE-Product-WE-15-SP7-2025-3520
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cJSON",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cJSON fixes the following issues:\n\n- CVE-2023-26819: Allocate memory for the temporary buffer when paring numbers (bsc#1241502)\n- CVE-2025-57052: Fix the incorrect check in decode_array_index_from_pointer (bsc#1249112)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3520,SUSE-SLE-Product-WE-15-SP7-2025-3520",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03520-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03520-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503520-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03520-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042060.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241502",
"url": "https://bugzilla.suse.com/1241502"
},
{
"category": "self",
"summary": "SUSE Bug 1249112",
"url": "https://bugzilla.suse.com/1249112"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-26819 page",
"url": "https://www.suse.com/security/cve/CVE-2023-26819/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-57052 page",
"url": "https://www.suse.com/security/cve/CVE-2025-57052/"
}
],
"title": "Security update for cJSON",
"tracking": {
"current_release_date": "2025-10-10T07:22:44Z",
"generator": {
"date": "2025-10-10T07:22:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03520-1",
"initial_release_date": "2025-10-10T07:22:44Z",
"revision_history": [
{
"date": "2025-10-10T07:22:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-150700.3.3.1.aarch64",
"product": {
"name": "cJSON-devel-1.7.19-150700.3.3.1.aarch64",
"product_id": "cJSON-devel-1.7.19-150700.3.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-150700.3.3.1.aarch64",
"product": {
"name": "libcjson1-1.7.19-150700.3.3.1.aarch64",
"product_id": "libcjson1-1.7.19-150700.3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-150700.3.3.1.i586",
"product": {
"name": "cJSON-devel-1.7.19-150700.3.3.1.i586",
"product_id": "cJSON-devel-1.7.19-150700.3.3.1.i586"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-150700.3.3.1.i586",
"product": {
"name": "libcjson1-1.7.19-150700.3.3.1.i586",
"product_id": "libcjson1-1.7.19-150700.3.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-150700.3.3.1.ppc64le",
"product": {
"name": "cJSON-devel-1.7.19-150700.3.3.1.ppc64le",
"product_id": "cJSON-devel-1.7.19-150700.3.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-150700.3.3.1.ppc64le",
"product": {
"name": "libcjson1-1.7.19-150700.3.3.1.ppc64le",
"product_id": "libcjson1-1.7.19-150700.3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-150700.3.3.1.s390x",
"product": {
"name": "cJSON-devel-1.7.19-150700.3.3.1.s390x",
"product_id": "cJSON-devel-1.7.19-150700.3.3.1.s390x"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-150700.3.3.1.s390x",
"product": {
"name": "libcjson1-1.7.19-150700.3.3.1.s390x",
"product_id": "libcjson1-1.7.19-150700.3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-150700.3.3.1.x86_64",
"product": {
"name": "cJSON-devel-1.7.19-150700.3.3.1.x86_64",
"product_id": "cJSON-devel-1.7.19-150700.3.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-150700.3.3.1.x86_64",
"product": {
"name": "libcjson1-1.7.19-150700.3.3.1.x86_64",
"product_id": "libcjson1-1.7.19-150700.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product_id": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-we:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-150700.3.3.1.x86_64 as component of SUSE Linux Enterprise Workstation Extension 15 SP7",
"product_id": "SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
},
"product_reference": "libcjson1-1.7.19-150700.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Workstation Extension 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26819",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-26819"
}
],
"notes": [
{
"category": "general",
"text": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-26819",
"url": "https://www.suse.com/security/cve/CVE-2023-26819"
},
{
"category": "external",
"summary": "SUSE Bug 1241502 for CVE-2023-26819",
"url": "https://bugzilla.suse.com/1241502"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-10T07:22:44Z",
"details": "low"
}
],
"title": "CVE-2023-26819"
},
{
"cve": "CVE-2025-57052",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-57052"
}
],
"notes": [
{
"category": "general",
"text": "cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-57052",
"url": "https://www.suse.com/security/cve/CVE-2025-57052"
},
{
"category": "external",
"summary": "SUSE Bug 1249112 for CVE-2025-57052",
"url": "https://bugzilla.suse.com/1249112"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Workstation Extension 15 SP7:libcjson1-1.7.19-150700.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-10T07:22:44Z",
"details": "important"
}
],
"title": "CVE-2025-57052"
}
]
}
FKIE_CVE-2023-26819
Vulnerability from fkie_nvd - Published: 2025-04-19 22:15 - Updated: 2025-11-03 20:16
Severity ?
Summary
cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cjson_project | cjson | 1.7.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cjson_project:cjson:1.7.15:*:*:*:*:*:*:*",
"matchCriteriaId": "4BE8F553-8284-4077-A5AB-6DC1B7DCB3FF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}."
},
{
"lang": "es",
"value": "cJSON 1.7.15 podr\u00eda permitir una denegaci\u00f3n de servicio a trav\u00e9s de un documento JSON manipulado como {\"a\": true, \"b\": [ null,99999999999999999999999999999999999999999999912345678901234567]}."
}
],
"id": "CVE-2023-26819",
"lastModified": "2025-11-03T20:16:00.937",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.4,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
}
]
},
"published": "2025-04-19T22:15:14.103",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/boofish/json_bugs/tree/main/cjson"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00014.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-440"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
MSRC_CVE-2023-26819
Vulnerability from csaf_microsoft - Published: 2025-08-02 00:00 - Updated: 2026-02-21 03:31Summary
cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-26819 cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2023-26819.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.",
"tracking": {
"current_release_date": "2026-02-21T03:31:58.000Z",
"generator": {
"date": "2026-02-24T08:07:46.150Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-26819",
"initial_release_date": "2025-08-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-08-07T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-12-07T01:44:25.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2026-02-21T03:31:58.000Z",
"legacy_version": "2.1",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "azl3 ceph 18.2.2-10",
"product": {
"name": "azl3 ceph 18.2.2-10",
"product_id": "5"
}
},
{
"category": "product_version_range",
"name": "azl3 ceph 18.2.2-11",
"product": {
"name": "azl3 ceph 18.2.2-11",
"product_id": "2"
}
},
{
"category": "product_version_range",
"name": "azl3 ceph 18.2.2-12",
"product": {
"name": "azl3 ceph 18.2.2-12",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "ceph"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 libglvnd 1.7.0-3",
"product": {
"name": "\u003cazl3 libglvnd 1.7.0-3",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "azl3 libglvnd 1.7.0-3",
"product": {
"name": "azl3 libglvnd 1.7.0-3",
"product_id": "20342"
}
}
],
"category": "product_name",
"name": "libglvnd"
},
{
"category": "product_name",
"name": "azl3 apparmor 3.1.7-1",
"product": {
"name": "azl3 apparmor 3.1.7-1",
"product_id": "3"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 ceph 18.2.2-10 as a component of Azure Linux 3.0",
"product_id": "17084-5"
},
"product_reference": "5",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 libglvnd 1.7.0-3 as a component of Azure Linux 3.0",
"product_id": "17084-4"
},
"product_reference": "4",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 libglvnd 1.7.0-3 as a component of Azure Linux 3.0",
"product_id": "20342-17084"
},
"product_reference": "20342",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 apparmor 3.1.7-1 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 ceph 18.2.2-11 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 ceph 18.2.2-12 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26819",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-3"
]
}
],
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20342-17084"
],
"known_affected": [
"17084-5",
"17084-4",
"17084-2",
"17084-1"
],
"known_not_affected": [
"17084-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-26819 cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2023-26819.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2025-08-07T00:00:00.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-5"
]
},
{
"category": "none_available",
"date": "2025-08-07T00:00:00.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-2"
]
},
{
"category": "none_available",
"date": "2025-08-07T00:00:00.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-1"
]
},
{
"category": "vendor_fix",
"date": "2025-08-07T00:00:00.000Z",
"details": "1.7.0-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-4"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 2.9,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"17084-5",
"17084-4",
"17084-2",
"17084-1"
]
}
],
"title": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}."
}
]
}
CVE-2023-26819
Vulnerability from fstec - Published: 19.04.2025
VLAI Severity ?
Title
Уязвимость компонента cJSON.c библиотеки для работы с JSON-объектами в C cJSON, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость компонента cJSON.c библиотеки для работы с JSON-объектами в C cJSON связана с нарушением ожидаемого поведения. Эксплуатация уязвимости может позволить нарушителю вызвать отказ в обслуживании
Severity ?
Vendor
Canonical Ltd., Red Hat Inc., Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра»
Software Name
Ubuntu, Red Hat Enterprise Linux, OpenShift Container Platform, Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Red Hat Satellite, cJSON
Software Version
16.04 LTS (Ubuntu), 18.04 LTS (Ubuntu), 8 (Red Hat Enterprise Linux), 4 (OpenShift Container Platform), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 6 (Red Hat Satellite), 9 (Red Hat Enterprise Linux), 1.7.15 (cJSON)
Possible Mitigations
Обновление библиотеки для обработки JSON файлов на языке С JSON-C до версии 1.7.16 или новее
Использование рекомендаций:
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2023-26819
Для программных продуктов Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2023-26819
Для программных продуктов Ubuntu:
https://ubuntu.com/security/CVE-2023-26819
Компенсирующие меры:
- минимизация пользовательских привилегий;
- отключение/удаление неиспользуемых учётных записей пользователей;
- контроль журналов аудита кластера для отслеживания попыток эксплуатации уязвимости.
Для ОС Astra Linux:
обновить пакет cjson до 1.7.14-1.astra2+deb11u2 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17
Reference
https://access.redhat.com/security/cve/cve-2023-26819
https://security-tracker.debian.org/tracker/CVE-2023-26819
https://ubuntu.com/security/CVE-2023-26819
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17
CWE
CWE-440
{
"CVSS 2.0": "AV:L/AC:H/Au:N/C:N/I:N/A:P",
"CVSS 3.0": "AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Canonical Ltd., Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "16.04 LTS (Ubuntu), 18.04 LTS (Ubuntu), 8 (Red Hat Enterprise Linux), 4 (OpenShift Container Platform), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 6 (Red Hat Satellite), 9 (Red Hat Enterprise Linux), 1.7.15 (cJSON)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 JSON \u0444\u0430\u0439\u043b\u043e\u0432 \u043d\u0430 \u044f\u0437\u044b\u043a\u0435 \u0421 JSON-C \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.7.16 \u0438\u043b\u0438 \u043d\u043e\u0432\u0435\u0435\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2023-26819\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2023-26819\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Ubuntu:\nhttps://ubuntu.com/security/CVE-2023-26819\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043c\u0438\u043d\u0438\u043c\u0438\u0437\u0430\u0446\u0438\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439;\n- \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435/\u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u043d\u0435\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439;\n- \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0436\u0443\u0440\u043d\u0430\u043b\u043e\u0432 \u0430\u0443\u0434\u0438\u0442\u0430 \u043a\u043b\u0430\u0441\u0442\u0435\u0440\u0430 \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 cjson \u0434\u043e 1.7.14-1.astra2+deb11u2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "19.04.2025",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "11.12.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "18.08.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-09919",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-26819",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Ubuntu, Red Hat Enterprise Linux, OpenShift Container Platform, Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Satellite, cJSON",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Canonical Ltd. Ubuntu 16.04 LTS , Canonical Ltd. Ubuntu 18.04 LTS , Red Hat Inc. Red Hat Enterprise Linux 8 , Canonical Ltd. Ubuntu 20.04 LTS , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Inc. Red Hat Enterprise Linux 9 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 cJSON.c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 JSON-\u043e\u0431\u044a\u0435\u043a\u0442\u0430\u043c\u0438 \u0432 C cJSON, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u043e\u0436\u0438\u0434\u0430\u0435\u043c\u043e\u0433\u043e \u043f\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f (CWE-440)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 cJSON.c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 JSON-\u043e\u0431\u044a\u0435\u043a\u0442\u0430\u043c\u0438 \u0432 C cJSON \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435\u043c \u043e\u0436\u0438\u0434\u0430\u0435\u043c\u043e\u0433\u043e \u043f\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://access.redhat.com/security/cve/cve-2023-26819\nhttps://security-tracker.debian.org/tracker/CVE-2023-26819\nhttps://ubuntu.com/security/CVE-2023-26819\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-440",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 1,2)\n\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 2,9)"
}
OPENSUSE-SU-2026:20340-1
Vulnerability from csaf_opensuse - Published: 2026-03-11 08:21 - Updated: 2026-03-11 08:21Summary
Security update for cJSON
Notes
Title of the patch
Security update for cJSON
Description of the patch
This update for cJSON fixes the following issues:
- Update to version 1.7.19
* Check for NULL in cJSON_DetachItemViaPointer.
* Check overlap before calling strcpy in cJSON_SetValuestring.
* Fix Max recursion depth for cJSON_Duplicate to prevent stack
exhaustion.
* Allocate memory for the temporary buffer when paring numbers.
This fixes CVE-2023-26819. (bsc#1241502)
* Fix the incorrect check in decode_array_index_from_pointer.
This fixes CVE-2025-57052. (bsc#1249112)
- Remove not longer needed patch for NULL to deallocated pointers.
Patchnames
openSUSE-Leap-16.0-369
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cJSON",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cJSON fixes the following issues:\n\n- Update to version 1.7.19\n * Check for NULL in cJSON_DetachItemViaPointer.\n * Check overlap before calling strcpy in cJSON_SetValuestring.\n * Fix Max recursion depth for cJSON_Duplicate to prevent stack\n exhaustion.\n * Allocate memory for the temporary buffer when paring numbers.\n This fixes CVE-2023-26819. (bsc#1241502)\n * Fix the incorrect check in decode_array_index_from_pointer.\n This fixes CVE-2025-57052. (bsc#1249112)\n- Remove not longer needed patch for NULL to deallocated pointers.\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-369",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20340-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1241502",
"url": "https://bugzilla.suse.com/1241502"
},
{
"category": "self",
"summary": "SUSE Bug 1249112",
"url": "https://bugzilla.suse.com/1249112"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-26819 page",
"url": "https://www.suse.com/security/cve/CVE-2023-26819/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-57052 page",
"url": "https://www.suse.com/security/cve/CVE-2025-57052/"
}
],
"title": "Security update for cJSON",
"tracking": {
"current_release_date": "2026-03-11T08:21:26Z",
"generator": {
"date": "2026-03-11T08:21:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20340-1",
"initial_release_date": "2026-03-11T08:21:26Z",
"revision_history": [
{
"date": "2026-03-11T08:21:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-160000.1.1.aarch64",
"product": {
"name": "cJSON-devel-1.7.19-160000.1.1.aarch64",
"product_id": "cJSON-devel-1.7.19-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-160000.1.1.aarch64",
"product": {
"name": "libcjson1-1.7.19-160000.1.1.aarch64",
"product_id": "libcjson1-1.7.19-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-160000.1.1.ppc64le",
"product": {
"name": "cJSON-devel-1.7.19-160000.1.1.ppc64le",
"product_id": "cJSON-devel-1.7.19-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-160000.1.1.ppc64le",
"product": {
"name": "libcjson1-1.7.19-160000.1.1.ppc64le",
"product_id": "libcjson1-1.7.19-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-160000.1.1.s390x",
"product": {
"name": "cJSON-devel-1.7.19-160000.1.1.s390x",
"product_id": "cJSON-devel-1.7.19-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-160000.1.1.s390x",
"product": {
"name": "libcjson1-1.7.19-160000.1.1.s390x",
"product_id": "libcjson1-1.7.19-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-160000.1.1.x86_64",
"product": {
"name": "cJSON-devel-1.7.19-160000.1.1.x86_64",
"product_id": "cJSON-devel-1.7.19-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-160000.1.1.x86_64",
"product": {
"name": "libcjson1-1.7.19-160000.1.1.x86_64",
"product_id": "libcjson1-1.7.19-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64"
},
"product_reference": "cJSON-devel-1.7.19-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le"
},
"product_reference": "cJSON-devel-1.7.19-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x"
},
"product_reference": "cJSON-devel-1.7.19-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64"
},
"product_reference": "cJSON-devel-1.7.19-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64"
},
"product_reference": "libcjson1-1.7.19-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le"
},
"product_reference": "libcjson1-1.7.19-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x"
},
"product_reference": "libcjson1-1.7.19-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
},
"product_reference": "libcjson1-1.7.19-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26819",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-26819"
}
],
"notes": [
{
"category": "general",
"text": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-26819",
"url": "https://www.suse.com/security/cve/CVE-2023-26819"
},
{
"category": "external",
"summary": "SUSE Bug 1241502 for CVE-2023-26819",
"url": "https://bugzilla.suse.com/1241502"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-11T08:21:26Z",
"details": "low"
}
],
"title": "CVE-2023-26819"
},
{
"cve": "CVE-2025-57052",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-57052"
}
],
"notes": [
{
"category": "general",
"text": "cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-57052",
"url": "https://www.suse.com/security/cve/CVE-2025-57052"
},
{
"category": "external",
"summary": "SUSE Bug 1249112 for CVE-2025-57052",
"url": "https://bugzilla.suse.com/1249112"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1.x86_64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.aarch64",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.ppc64le",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.s390x",
"openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-11T08:21:26Z",
"details": "important"
}
],
"title": "CVE-2025-57052"
}
]
}
OPENSUSE-SU-2025:15583-1
Vulnerability from csaf_opensuse - Published: 2025-09-29 00:00 - Updated: 2025-09-29 00:00Summary
cJSON-devel-1.7.19-1.1 on GA media
Notes
Title of the patch
cJSON-devel-1.7.19-1.1 on GA media
Description of the patch
These are all security issues fixed in the cJSON-devel-1.7.19-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15583
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cJSON-devel-1.7.19-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cJSON-devel-1.7.19-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15583",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15583-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-26819 page",
"url": "https://www.suse.com/security/cve/CVE-2023-26819/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-57052 page",
"url": "https://www.suse.com/security/cve/CVE-2025-57052/"
}
],
"title": "cJSON-devel-1.7.19-1.1 on GA media",
"tracking": {
"current_release_date": "2025-09-29T00:00:00Z",
"generator": {
"date": "2025-09-29T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15583-1",
"initial_release_date": "2025-09-29T00:00:00Z",
"revision_history": [
{
"date": "2025-09-29T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-1.1.aarch64",
"product": {
"name": "cJSON-devel-1.7.19-1.1.aarch64",
"product_id": "cJSON-devel-1.7.19-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-1.1.aarch64",
"product": {
"name": "libcjson1-1.7.19-1.1.aarch64",
"product_id": "libcjson1-1.7.19-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-1.1.ppc64le",
"product": {
"name": "cJSON-devel-1.7.19-1.1.ppc64le",
"product_id": "cJSON-devel-1.7.19-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-1.1.ppc64le",
"product": {
"name": "libcjson1-1.7.19-1.1.ppc64le",
"product_id": "libcjson1-1.7.19-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-1.1.s390x",
"product": {
"name": "cJSON-devel-1.7.19-1.1.s390x",
"product_id": "cJSON-devel-1.7.19-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-1.1.s390x",
"product": {
"name": "libcjson1-1.7.19-1.1.s390x",
"product_id": "libcjson1-1.7.19-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cJSON-devel-1.7.19-1.1.x86_64",
"product": {
"name": "cJSON-devel-1.7.19-1.1.x86_64",
"product_id": "cJSON-devel-1.7.19-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcjson1-1.7.19-1.1.x86_64",
"product": {
"name": "libcjson1-1.7.19-1.1.x86_64",
"product_id": "libcjson1-1.7.19-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64"
},
"product_reference": "cJSON-devel-1.7.19-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le"
},
"product_reference": "cJSON-devel-1.7.19-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x"
},
"product_reference": "cJSON-devel-1.7.19-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cJSON-devel-1.7.19-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64"
},
"product_reference": "cJSON-devel-1.7.19-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64"
},
"product_reference": "libcjson1-1.7.19-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le"
},
"product_reference": "libcjson1-1.7.19-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x"
},
"product_reference": "libcjson1-1.7.19-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcjson1-1.7.19-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
},
"product_reference": "libcjson1-1.7.19-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26819",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-26819"
}
],
"notes": [
{
"category": "general",
"text": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-26819",
"url": "https://www.suse.com/security/cve/CVE-2023-26819"
},
{
"category": "external",
"summary": "SUSE Bug 1241502 for CVE-2023-26819",
"url": "https://bugzilla.suse.com/1241502"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-29T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2023-26819"
},
{
"cve": "CVE-2025-57052",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-57052"
}
],
"notes": [
{
"category": "general",
"text": "cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-57052",
"url": "https://www.suse.com/security/cve/CVE-2025-57052"
},
{
"category": "external",
"summary": "SUSE Bug 1249112 for CVE-2025-57052",
"url": "https://bugzilla.suse.com/1249112"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:cJSON-devel-1.7.19-1.1.x86_64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.aarch64",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.ppc64le",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.s390x",
"openSUSE Tumbleweed:libcjson1-1.7.19-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-29T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-57052"
}
]
}
GSD-2023-26819
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-26819",
"id": "GSD-2023-26819"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-26819"
],
"id": "GSD-2023-26819",
"modified": "2023-12-13T01:20:54.065592Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-26819",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
}
}
GHSA-WHX8-2789-8W4W
Vulnerability from github – Published: 2025-04-20 00:31 – Updated: 2025-11-03 21:33
VLAI?
Details
cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.
Severity ?
{
"affected": [],
"aliases": [
"CVE-2023-26819"
],
"database_specific": {
"cwe_ids": [
"CWE-440"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-19T22:15:14Z",
"severity": "LOW"
},
"details": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.",
"id": "GHSA-whx8-2789-8w4w",
"modified": "2025-11-03T21:33:41Z",
"published": "2025-04-20T00:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26819"
},
{
"type": "WEB",
"url": "https://github.com/boofish/json_bugs/tree/main/cjson"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00014.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…