Memory Exhaustion Vulnerability in Facebook Fizz Product
CVE-2019-11924

7.5HIGH

Key Information:

Vendor

Facebook

Status
Fizz
Vendor
CVE Published:
20 August 2019

What is CVE-2019-11924?

A vulnerability in Facebook's Fizz product allows a peer to send empty handshake fragments that contain only padding. This issue can lead to memory exhaustion as these fragments remain in memory until a complete handshake is received. Affected versions include Fizz from v2019.01.28.00 until v2019.08.05.00, posing a risk for applications using this library.

Affected Version(s)

fizz v2019.08.12.00

fizz v2019.01.28.00

References

https://github.com/facebookincubator/fizz/commit/6bf67137...
x_refsource_MISC
https://github.com/facebookincubator/fizz/commit/3eaddb33...
x_refsource_MISC
https://www.facebook.com/security/advisories/cve-2019-11924
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-11924 : Memory Exhaustion Vulnerability in Facebook Fizz Product