Heap-Based Use-After-Free Vulnerability in Google gRPC
CVE-2017-8359

9.8CRITICAL

Key Information:

Vendor

Grpc

Status
Grpc
Vendor
CVE Published:
30 April 2017

What is CVE-2017-8359?

Google gRPC prior to March 29, 2017, contains a vulnerability that allows an attacker to exploit an out-of-bounds write. This issue arises from a heap-based use-after-free scenario in the grpc_call_destroy function located in core/lib/surface/call.c. Exploiting this vulnerability could lead to unexpected application behavior or potential system compromise, depending on the context in which gRPC is used.

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=726
x_refsource_MISC
http://www.securityfocus.com/bid/98280
vdb-entryx_refsource_BID
https://github.com/grpc/grpc/pull/10353
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.