CVE & CISA-KEV Catalog

CVE-2022-36078

HIGH
8.8
CVSS v3
NVD

Description

Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program. When using `github.com/gagliardetto/binary` to parse unchecked (or wrong type of) data from untrusted sources of input (e.g. the blockchain) into slices, it's possible to allocate memory with excessive size. When `dec.Decode(&val)` method is used to parse data into a structure that is or contains slices of values, the length of the slice was previously read directly from the data itself without any checks on the size of it, and then a slice was allocated. This could lead to an overflow and an allocation of memory with excessive size value. Users should upgrade to `v0.7.1` or higher. A workaround is not to rely on the `dec.Decode(&val)` function to parse the data, but to use a custom `UnmarshalWithDecoder()` method that reads and checks the length of any slice.

How to fix

Remediation Available
binaryNVD
Affected:< 0.7.1Fixed in:0.7.1CVE-2022-36078derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploit Intelligence

0.91%probability of exploitation in 30 days
55thpercentile

Moderate risk: more likely to be exploited than 55% of all known CVEs.

References

Exploit1
Third-Party Advisory1
Embed a live status badge for CVE-2022-36078
CVE-2022-36078 severity badge

Markdown

[![CVE-2022-36078](https://tridentstack.com/cve/badge/CVE-2022-36078.svg)](https://tridentstack.com/cve/CVE-2022-36078)

HTML

<a href="https://tridentstack.com/cve/CVE-2022-36078"><img src="https://tridentstack.com/cve/badge/CVE-2022-36078.svg" alt="CVE-2022-36078"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.