Resource exhaustion via memory leak in tokio-boring
CVE-2023-6180

5.3MEDIUM

Key Information:

Vendor: Cloudflare
Status: tokio-boring
Vendor: CVE Published:; 5 December 2023

What is CVE-2023-6180?

The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

Affected Version(s)

tokio-boring 4.0.0 <= 4.1.0

References

https://github.com/cloudflare/boring/security/advisories/...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2023
Vulnerability Reserved
Nov 16, 2023

Credit

Eric Rosenberg

Cloudflare

What is CVE-2023-6180?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit