Home > Vulnerability Database > CVE-2024-37305

Mend.io Vulnerability Database

CVE-2024-37305

Date: June 17, 2024

oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.

Language: C

Severity Score

8.2

Related Resources (4)

Url: https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-37305

Url: https://github.com/open-quantum-safe/oqs-provider/pull/416

Url: https://www.mend.io/vulnerability-database/CVE-2024-37305

Severity Score

8.2

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

Improper Handling of Length Parameter Inconsistency

CWE-130

Buffer Access with Incorrect Length Value

CWE-805

Integer Overflow to Buffer Overflow

CWE-680

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-37305

Date: June 17, 2024

Language: C

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?