Vulnerability Description
A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019.01.28.00 and above of fizz, until v2019.08.05.00.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fizz | >= 2019.01.28.00, <= 2019.08.05.00 |
Related Weaknesses (CWE)
References
- https://github.com/facebookincubator/fizz/commit/3eaddb33619eaaf74a760872850c550PatchThird Party Advisory
- https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322bPatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2019-11924Vendor Advisory
- https://github.com/facebookincubator/fizz/commit/3eaddb33619eaaf74a760872850c550PatchThird Party Advisory
- https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322bPatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2019-11924Vendor Advisory
FAQ
What is CVE-2019-11924?
CVE-2019-11924 is a vulnerability with a CVSS score of 7.5 (HIGH). A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019...
How severe is CVE-2019-11924?
CVE-2019-11924 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11924?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Fizz.