CVE-2023-28448— Versionize is lacking bound checks, potentially leading to out of bounds memory access
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-28448
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Versionize is lacking bound checks, potentially leading to out of bounds memory access
Source: NVD (National Vulnerability Database)
Vulnerability Description
Versionize is a framework for version tolerant serializion/deserialization of Rust data structures, designed for usecases that need fast deserialization times and minimal size overhead. An issue was discovered in the ‘Versionize::deserialize’ implementation provided by the ‘versionize’ crate for ‘vmm_sys_utils::fam::FamStructWrapper', which can lead to out of bounds memory accesses. The impact started with version 0.1.1. The issue was corrected in version 0.1.10 by inserting a check that verifies, for any deserialized header, the lengths of compared flexible arrays are equal and aborting deserialization otherwise.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存读
Source: NVD (National Vulnerability Database)
Vulnerability Title
Versionize 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Versionize是用于 Rust 数据结构的版本容忍序列化/反序列化的框架,专为需要快速反序列化时间和最小尺寸开销的用例而设计。 Versionize 存在缓冲区错误漏洞,该漏洞源于存在越界内存访问问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| firecracker-microvm | versionize | < 0.1.10 | - |
II. Public POCs for CVE-2023-28448
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-28448
请登录查看更多情报信息。
- https://github.com/firecracker-microvm/versionize/pull/53x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-28448
IV. Related Vulnerabilities
Same weakness: CWE-125
- CVE-2026-8177
XML::LibXML versions through 2.0210 for Perl read out-of-bou - CVE-2026-6104
Global buffer over-read in mb_convert_encoding() with attack - CVE-2026-7258
Out-of-bounds read in urldecode() on NetBSD - CVE-2026-8186
Open5GS NF client.c ogs_sbi_client_send_via_scp_or_sepp out- - CVE-2026-3508
ASUS System Control Interface 缓冲区错误漏洞
V. Comments for CVE-2023-28448
No comments yet