CVE-2020-5235

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-5235
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5235.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-5235
Downstream
Related
Published
2020-02-04T03:15:10.657Z
Modified
2025-11-20T11:27:57.600213Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PBENABLEMALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling free() on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.

References

Affected packages

Git / github.com/nanopb/nanopb

Affected ranges

Type
GIT
Repo
https://github.com/nanopb/nanopb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
45582f1f97f49e2abfdba1463d1e1027682d9856
Fixed
7b396821ddd06df8e39143f16e1dc0a4645b89a3
Fixed
aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2

Affected versions

0.*

0.3.6
0.3.7
0.3.8
0.3.9
0.3.9.1
0.3.9.2
0.3.9.3
0.3.9.4
0.4.0

nanopb-0.*

nanopb-0.1.0
nanopb-0.1.1
nanopb-0.1.2
nanopb-0.1.3
nanopb-0.1.4
nanopb-0.1.5
nanopb-0.1.6
nanopb-0.1.7
nanopb-0.1.8
nanopb-0.1.9
nanopb-0.2.0
nanopb-0.2.1
nanopb-0.2.2
nanopb-0.2.3
nanopb-0.2.4
nanopb-0.2.5
nanopb-0.2.6
nanopb-0.2.7
nanopb-0.2.8
nanopb-0.2.9
nanopb-0.2.9.1
nanopb-0.2.9.2
nanopb-0.2.9.3
nanopb-0.3.0
nanopb-0.3.1
nanopb-0.3.2
nanopb-0.3.3
nanopb-0.3.4
nanopb-0.3.5
nanopb-0.3.6
nanopb-0.3.7
nanopb-0.3.8
nanopb-0.3.9
nanopb-0.3.9.1
nanopb-0.3.9.2
nanopb-0.3.9.3
nanopb-0.3.9.4
nanopb-0.4.0
nanopb-0.4.0-dev

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "28180582548366321054064859592678936499",
                "173130919475097003140702953372688074728",
                "110934570171770968869145982918882243485",
                "98635544888241784543358525741201591600",
                "253840358417371228185192742968541973977",
                "262069779449910844287220592185549273856",
                "339621988144188041086437483593633316235"
            ]
        },
        "target": {
            "file": "pb_decode.c"
        },
        "deprecated": false,
        "source": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2",
        "id": "CVE-2020-5235-0abdd2bb",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "digest": {
            "length": 2230.0,
            "function_hash": "228901543440384795897718486285849338511"
        },
        "target": {
            "file": "pb_decode.c",
            "function": "decode_pointer_field"
        },
        "deprecated": false,
        "source": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3",
        "id": "CVE-2020-5235-311edd17",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "digest": {
            "length": 2700.0,
            "function_hash": "243854632971909049111477995652417044673"
        },
        "target": {
            "file": "pb_decode.c",
            "function": "decode_pointer_field"
        },
        "deprecated": false,
        "source": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856",
        "id": "CVE-2020-5235-677be4d7",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "165477520322638297651095831014103691890",
                "110063504908703080620243362214468348999",
                "322178983387047726090044168406985402334",
                "227065484611923932531602001446345241513",
                "231698434224719956075280466262717063938",
                "54773041683124643386717824113635098148",
                "164282937809346907653434918213913547083"
            ]
        },
        "target": {
            "file": "pb_decode.c"
        },
        "deprecated": false,
        "source": "https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3",
        "id": "CVE-2020-5235-c3626fcc",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "140501944511697788913147936514983928461",
                "36011667060077717794993412362000842087",
                "220346423082981201819645974796037069439",
                "287159839779562948190501274889884835927",
                "117717705754731843475203082739271595433",
                "216442497325668713690188347272576550889",
                "148659607506413678697427110413022742351"
            ]
        },
        "target": {
            "file": "pb_decode.c"
        },
        "deprecated": false,
        "source": "https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856",
        "id": "CVE-2020-5235-d73d6325",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "digest": {
            "length": 2605.0,
            "function_hash": "120855412272600406950953084377941096669"
        },
        "target": {
            "file": "pb_decode.c",
            "function": "decode_pointer_field"
        },
        "deprecated": false,
        "source": "https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2",
        "id": "CVE-2020-5235-e62333c7",
        "signature_type": "Function"
    }
]