In Mcrouter prior to v0.41.0, the deprecated ASCII parser would allocate a buffer to a user-specified length with no maximum length enforced, allowing for resource exhaustion or denial of service.
{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.41.0"
}
],
"cpe": "cpe:2.3:a:facebook:mcrouter:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"2026-07-08T16:07:42Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11923.json"
[
{
"signature_type": "Line",
"target": {
"file": "mcrouter/lib/network/McAsciiParser.h"
},
"deprecated": false,
"digest": {
"line_hashes": [
"204285751708632397820198096865362966590",
"218963596161198465424678146777078642599",
"275199152256098293863193008935329626627"
],
"threshold": 0.9
},
"id": "CVE-2019-11923-8c58217a",
"source": "https://github.com/facebook/mcrouter/commit/98ce6624cd2563cfdb5da3b2949d5e1e03867034",
"signature_version": "v1"
}
]