Vulnerability Details : CVE-2020-26243
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.
Vulnerability category: OverflowInput validation
Products affected by CVE-2020-26243
- cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*
- cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26243
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26243
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2020-26243
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-26243
-
https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
Oneof fields with PB_ENABLE_MALLOC can leak memory · Advisory · nanopb/nanopb · GitHubThird Party Advisory
-
https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt
nanopb/CHANGELOG.txt at 2b48a361786dfb1f63d229840217a93aae064667 · nanopb/nanopb · GitHubRelease Notes;Third Party Advisory
-
https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c
Fix memory leak with oneofs and PB_ENABLE_MALLOC (#615) · nanopb/nanopb@4fe2359 · GitHubPatch;Third Party Advisory
-
https://github.com/nanopb/nanopb/issues/615
Memory leak when parsing a protobuf message with duplicate fields · Issue #615 · nanopb/nanopb · GitHubExploit;Patch;Third Party Advisory
Jump to