Vulnerability Description
In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place the header table into a corrupted state, leading to a use-after-free condition and undefined behavior. This issue affects Proxygen from v0.29.0 until v2017.04.03.00.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Proxygen | >= 0.29.0, <= 2017.04.03.00 |
Related Weaknesses (CWE)
References
- https://github.com/facebook/proxygen/commit/f43b134cc5c19d8532e7fb670a1c02e85f7aPatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2019-11940Third Party Advisory
- https://github.com/facebook/proxygen/commit/f43b134cc5c19d8532e7fb670a1c02e85f7aPatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2019-11940Third Party Advisory
FAQ
What is CVE-2019-11940?
CVE-2019-11940 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place the header table into a corrupted state, leading to a use-after-free ...
How severe is CVE-2019-11940?
CVE-2019-11940 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-11940?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Proxygen.