Memory Exhaustion Vulnerability in Facebook Fizz Product
CVE-2019-11924

7.5HIGH

Key Information:

Vendor: Facebook
Status: Fizz
Vendor: CVE Published:; 20 August 2019

🔔 Create Facebook Vulnerability Alert

What is CVE-2019-11924?

A vulnerability in Facebook's Fizz product allows a peer to send empty handshake fragments that contain only padding. This issue can lead to memory exhaustion as these fragments remain in memory until a complete handshake is received. Affected versions include Fizz from v2019.01.28.00 until v2019.08.05.00, posing a risk for applications using this library.

Affected Version(s)

fizz v2019.08.12.00

fizz v2019.01.28.00

References

https://github.com/facebookincubator/fizz/commit/6bf67137...

x_refsource_MISC

https://github.com/facebookincubator/fizz/commit/3eaddb33...

x_refsource_MISC

https://www.facebook.com/security/advisories/cve-2019-11924

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2019
Vulnerability Reserved
May 13, 2019

.