CVE-2018-7167

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-7167
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7167.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-7167
Downstream
Related
Published
2018-06-13T16:29:01.860Z
Modified
2026-02-13T01:36:02.834248Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8c9f0d0fb4c3b8625c4b7a2ec654655fe9a67c92
Introduced
f76ce0a75641991bfc235775a4747c978e0e281b
Fixed
90ada2627995cf1216366c94fb6c5fc472834954
Introduced
fa9990f3fb5b06fe94e294925246d2c136deb2c2
Fixed
b5339ff549fcd7ff7f228d00d0ff79b78a347dc6

Affected versions

v8.*
v8.10.0
v8.11.0
v8.11.1
v8.11.2
v8.9.0
v8.9.1
v8.9.2
v8.9.3
v8.9.4
v9.*
v9.0.0
v9.1.0
v9.10.0
v9.10.1
v9.11.0
v9.11.1
v9.2.0
v9.2.1
v9.3.0
v9.4.0
v9.5.0
v9.6.0
v9.6.1
v9.7.0
v9.7.1
v9.8.0
v9.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7167.json"