Vulnerability Details : CVE-2019-11922
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Products affected by CVE-2019-11922
- cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11922
1.85%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11922
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2019-11922
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11922
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html
[security-announce] openSUSE-SU-2019:1845-1: moderate: Security update f
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html
[security-announce] openSUSE-SU-2019:1952-1: moderate: Security update f
-
https://usn.ubuntu.com/4108-1/
USN-4108-1: Zstandard vulnerability | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html
[security-announce] openSUSE-SU-2019:2008-1: moderate: Security update f
-
https://www.facebook.com/security/advisories/cve-2019-11922
FacebookVendor Advisory
-
https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
fixed T36302471 by Cyan4973 · Pull Request #1404 · facebook/zstd · GitHubPatch;Third Party Advisory
Jump to