CVE-2019-11922
8.1
HIGH
CVSS 3.1
EPSS 0.62%
Description
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
How to fix CVE-2019-11922
To remediate CVE-2019-11922, upgrade the affected package to a fixed version below.
- Alpine/zstd—upgrade to 1.3.8-r0 or later
- Debian/libzstd—upgrade to 1.3.8+dfsg-2 or later
Is CVE-2019-11922 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.3.8-r0
- from 0, < 1.3.8+dfsg-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |