Common Weakness Enumeration

CWE-617

Allowed

Reachable Assertion

Abstraction: Base · Status: Draft

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

989 vulnerabilities reference this CWE, most recent first.

GHSA-XQJC-V8PQ-QH2X

Vulnerability from github – Published: 2022-01-04 00:00 – Updated: 2022-01-13 00:01
VLAI
Details

Possible assertion in QOS request due to improper validation when multiple add or update request are received simultaneously in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-03T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "Possible assertion in QOS request due to improper validation when multiple add or update request are received simultaneously in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
  "id": "GHSA-xqjc-v8pq-qh2x",
  "modified": "2022-01-13T00:01:39Z",
  "published": "2022-01-04T00:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30335"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/december-2021-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XQMP-FXGV-XVQ5

Vulnerability from github – Published: 2026-03-30 13:04 – Updated: 2026-04-06 23:13
VLAI
Summary
libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling
Details

Description

Summary

The Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling.
After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer.

Attack Scenario

An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending crafted PRUNE control data: 1. Establish a standard libp2p session (TCP + Noise) and negotiate a stream multiplexer (mplex/yamux). 2. Open a Gossipsub stream and send an RPC containing ControlPrune with a very large backoff (chosen near boundary conditions, e.g. ~ i64::MAX - victim_uptime_seconds; example observed: 9223372036854674580 for ~28h uptime). 3. The value is parsed from protobuf and passed through Behaviour::handle_prune() into mesh/backoff update logic. 4. Initial storage path uses checked addition (Instant::now().checked_add(...)), so the malicious near-max value is retained. 5. On the next heartbeat (typically within ~43–74s), expiry logic computes backoff_time + slack using unchecked addition, which overflows and panics.

Impact

Remote unauthenticated denial of service (critical).
Any application exposing an affected libp2p-gossipsub listener can be crashed by a network-reachable peer that sends crafted PRUNE backoff values. The crash is triggered during heartbeat processing (not immediately at PRUNE parse time), and can be repeated by reconnecting and replaying the message.

Differences from CVE-2026-33040

This advisory is related to CVE-2026-33040 but it is not the same defect. CVE-2026-33040 addressed overflow during backoff insertion by adding checked arithmetic when converting PRUNE backoff into an Instant. The issue in this advisory occurs at a different location and at a different time: a near-maximum backoff can still be stored successfully, and the crash happens later in the heartbeat path when slack is added to that stored Instant using unchecked arithmetic. This report covers a distinct secondary overflow path in heartbeat expiry handling that remained reachable after the original insertion-side hardening.

This vulnerability was originally reported by the Security team of the Ethereum Foundation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libp2p-gossipsub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.49.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T13:04:03Z",
    "nvd_published_at": "2026-03-31T16:16:31Z",
    "severity": "HIGH"
  },
  "details": "## Description\n### Summary\nThe Rust libp2p Gossipsub implementation contains a remotely reachable panic in `backoff` expiry handling.  \nAfter a peer sends a crafted `PRUNE` control message with an attacker-controlled, near-maximum `backoff` value, the value is accepted and stored as an `Instant` near the representable upper bound. On a later heartbeat, the implementation performs unchecked `Instant + Duration` arithmetic (`backoff_time + slack`), which can overflow and panic with:\n`overflow when adding duration to instant`\nThis issue is reachable from any Gossipsub peer over normal `TCP + Noise + mplex/yamux` connectivity and requires no further authentication beyond becoming a protocol peer.\n### Attack Scenario\nAn attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending crafted `PRUNE` control data:\n1. Establish a standard libp2p session (`TCP + Noise`) and negotiate a stream multiplexer (`mplex`/`yamux`).\n2. Open a Gossipsub stream and send an RPC containing `ControlPrune` with a very large `backoff` (chosen near boundary conditions, e.g. `~ i64::MAX - victim_uptime_seconds`; example observed: `9223372036854674580` for ~28h uptime).\n3. The value is parsed from protobuf and passed through `Behaviour::handle_prune()` into mesh/backoff update logic.\n4. Initial storage path uses checked addition (`Instant::now().checked_add(...)`), so the malicious near-max value is retained.\n5. On the next heartbeat (typically within ~43\u201374s), expiry logic computes `backoff_time + slack` using unchecked addition, which overflows and panics.\n### Impact\nRemote unauthenticated denial of service (critical).  \nAny application exposing an affected `libp2p-gossipsub` listener can be crashed by a network-reachable peer that sends crafted `PRUNE` backoff values. The crash is triggered during heartbeat processing (not immediately at PRUNE parse time), and can be repeated by reconnecting and replaying the message.\n\n### Differences from CVE-2026-33040\nThis advisory is related to CVE-2026-33040 but it is not the same defect. CVE-2026-33040 addressed overflow during backoff insertion by adding checked arithmetic when converting PRUNE backoff into an Instant. The issue in this advisory occurs at a different location and at a different time: a near-maximum backoff can still be stored successfully, and the crash happens later in the heartbeat path when slack is added to that stored Instant using unchecked arithmetic.  This report covers a distinct secondary overflow path in heartbeat expiry handling that remained reachable after the original insertion-side hardening.\n\nThis vulnerability was originally reported by the Security team of the Ethereum Foundation.",
  "id": "GHSA-xqmp-fxgv-xvq5",
  "modified": "2026-04-06T23:13:23Z",
  "published": "2026-03-30T13:04:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34219"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-gc42-3jg7-rxr2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/rust-libp2p"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling"
}

GHSA-XR2G-WG2C-HRX6

Vulnerability from github – Published: 2022-04-02 00:00 – Updated: 2022-04-09 00:00
VLAI
Details

Possible assertion due to improper validation of TCI configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-01T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Possible assertion due to improper validation of TCI configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile",
  "id": "GHSA-xr2g-wg2c-hrx6",
  "modified": "2022-04-09T00:00:48Z",
  "published": "2022-04-02T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30329"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/march-2022-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XR65-FGV2-R9VH

Vulnerability from github – Published: 2025-08-05 03:31 – Updated: 2025-08-05 03:31
VLAI
Details

A vulnerability, which was classified as problematic, was found in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_DataBuffer::SetDataSize of the file Mp4Decrypt.cpp of the component mp4decrypt. The manipulation leads to allocation of resources. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-05T01:15:43Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_DataBuffer::SetDataSize of the file Mp4Decrypt.cpp of the component mp4decrypt. The manipulation leads to allocation of resources. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-xr65-fgv2-r9vh",
  "modified": "2025-08-05T03:31:18Z",
  "published": "2025-08-05T03:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/1037"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1AkRpx3wcMy3Ic9tQeQyRJybBipK72aQO/view?usp=drive_link"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.318666"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.318666"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.619602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XVM3-W96C-9WHC

Vulnerability from github – Published: 2025-02-25 15:34 – Updated: 2025-02-25 21:31
VLAI
Details

An issue was discovered in FlexRIC 2.0.0. It crashes during a Subscription Request denial-of-service (DoS) attack, triggered by an assertion error. An attacker must send a high number of E42 Subscription Requests to the Near-RT RIC component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34034"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-25T15:15:21Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in FlexRIC 2.0.0. It crashes during a Subscription Request denial-of-service (DoS) attack, triggered by an assertion error. An attacker must send a high number of E42 Subscription Requests to the Near-RT RIC component.",
  "id": "GHSA-xvm3-w96c-9whc",
  "modified": "2025-02-25T21:31:41Z",
  "published": "2025-02-25T15:34:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34034"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/fklement/3a43dbb9fb361dddd8db7703080ade0f"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eurecom.fr/mosaic5g/flexric/-/tags/v2.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX3P-5M4J-RHW8

Vulnerability from github – Published: 2024-09-19 12:31 – Updated: 2024-09-19 12:31
VLAI
Details

A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-19T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.",
  "id": "GHSA-xx3p-5m4j-rhw8",
  "modified": "2024-09-19T12:31:20Z",
  "published": "2024-09-19T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8354"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-8354"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX6R-3QQR-WH55

Vulnerability from github – Published: 2022-03-27 00:00 – Updated: 2022-03-31 00:00
VLAI
Details

tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c.",
  "id": "GHSA-xx6r-3qqr-wh55",
  "modified": "2022-03-31T00:00:32Z",
  "published": "2022-03-27T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27939"
    },
    {
      "type": "WEB",
      "url": "https://github.com/appneta/tcpreplay/issues/717"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5B75AFRJUGOYHCFG2ZV2JKSUPA6MSCT5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRCFJ6X3IVB7BT4KS6AHQMSL532YXYD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWRZO7BG6DHA5NAC3COB45WFXLYRIERC"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXV4-5PRV-8F29

Vulnerability from github – Published: 2025-12-25 06:30 – Updated: 2025-12-25 06:30
VLAI
Details

Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-25T05:16:07Z",
    "severity": "MODERATE"
  },
  "details": "Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service.",
  "id": "GHSA-xxv4-5prv-8f29",
  "modified": "2025-12-25T06:30:26Z",
  "published": "2025-12-25T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49088"
    },
    {
      "type": "WEB",
      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXVM-GXXX-R9PG

Vulnerability from github – Published: 2025-07-01 12:31 – Updated: 2025-07-01 12:31
VLAI
Details

A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.5. This issue affects the function amf_state_operational of the file src/amf/amf-sm.c of the component AMF Service. The manipulation leads to reachable assertion. It is possible to launch the attack on the local host. The identifier of the patch is 53e9e059ed96b940f7ddcd9a2b68cb512524d5db. It is recommended to apply a patch to fix this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-01T12:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.5. This issue affects the function amf_state_operational of the file src/amf/amf-sm.c of the component AMF Service. The manipulation leads to reachable assertion. It is possible to launch the attack on the local host. The identifier of the patch is 53e9e059ed96b940f7ddcd9a2b68cb512524d5db. It is recommended to apply a patch to fix this issue.",
  "id": "GHSA-xxvm-gxxx-r9pg",
  "modified": "2025-07-01T12:31:02Z",
  "published": "2025-07-01T12:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6952"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open5gs/open5gs/issues/3938"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open5gs/open5gs/issues/3938#issuecomment-3012139813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open5gs/open5gs/commit/53e9e059ed96b940f7ddcd9a2b68cb512524d5db"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.314489"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.314489"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.605312"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Mitigation
Implementation

Strategy: Input Validation

Perform input validation on user data.

No CAPEC attack patterns related to this CWE.