CVE-2024-53984

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-53984
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53984.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-53984
Aliases
  • GHSA-xwqq-qxmw-hj5r
Downstream
Related
Published
2024-12-02T15:54:47.478Z
Modified
2026-02-04T03:20:41.494519Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Nanopb does not release memory on error return when using PB_DECODE_DELIMITED
Details

Nanopb is a small code-size Protocol Buffers implementation. When the compile time option PBENABLEMALLOC is enabled, the message contains at least one field with FTPOINTER field type, custom stream callback is used with unknown stream length. and the pbdecodeex() function is used with flag PBDECODEDELIMITED, then the pbdecodeex() function does not automatically call pbrelease(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.

Database specific 
{
    "cwe_ids": [
        "CWE-401",
        "CWE-755"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53984.json"
}
References

Affected packages

Git / github.com/nanopb/nanopb

Affected ranges

Type
GIT
Repo
https://github.com/nanopb/nanopb
Events
Introduced
c29ca83ff47a7224172a74ccfee07d91fa040e4c
Fixed
cad3c18ef15a663e30e3e43e3a752b66378adec1

Affected versions

0.*
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.6.4
0.4.7
0.4.8
0.4.9
nanopb-0.*
nanopb-0.4.0
nanopb-0.4.0-dev
nanopb-0.4.1
nanopb-0.4.2
nanopb-0.4.3
nanopb-0.4.4
nanopb-0.4.5
nanopb-0.4.6
nanopb-0.4.7
nanopb-0.4.8
nanopb-0.4.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53984.json"