Zserio Unbounded Memory Allocation Vulnerability Leading to Denial-of-Service
Vulnerability
A denial-of-service vulnerability has been identified in the Zserio framework, prior to version 2.18.1. This issue allows a crafted payload as small as 4-5 bytes to trigger memory allocations of up to 16 GB, causing processes to crash with an out-of-memory error. The vulnerability arises from unchecked length parameters in the deserialization process, which can be exploited to create excessive memory demands.
Impact
Exploitation of this vulnerability causes processes to crash due to out-of-memory errors, leading to a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by sending a crafted payload of 4 to 5 bytes that exploits the unchecked length parameters in the Zserio deserialization process. This can be done using the Zserio C++ or Java runtime environments.
Remediation
Users are advised to update to Zserio version 2.18.1 or later. For all runtimes, it is recommended to validate variable sizes against the available stream size before processing.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.