CVE-2024-42358

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Aug 6, 2024
Updated: Aug 12, 2024
CWE ID 835

Summary

CVE-2024-42358 is a denial-of-service (DoS) vulnerability affecting the PDFio library, specifically its TTF parser. Maliciously crafted TTF files can cause the program to consume all available memory and enter an infinite loop. This issue can also result in a heap-buffer-overflow vulnerability. The root cause is a flaw in the read_camp function, which is triggered by manipulating a value called nGroups extracted from the file. The vulnerable library, used for reading and writing PDF files, is susceptible to DoS attacks when parsing certain types of files. This includes automated systems, such as web servers, which may convert PDF submissions into plaintext and are at risk of being DOSed by an attacker uploading a malicious TTF file. The vulnerability has been addressed in release version 1.3.1, and all users are advised to upgrade. There are no known workarounds for this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share