CVE-2023-28448 MEDIUM

CVE-2023-28448: Versionize is lacking bound checks, potentially leading to out of bounds memory access

Vendor Firecracker-Microvm
Product versionize
Weakness CWE-125
Published March 24, 2023
Last update February 19, 2025
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Versionize is a framework for version tolerant serializion/deserialization of Rust data structures, designed for usecases that need fast deserialization times and minimal size overhead. An issue was discovered in the ‘Versionize::deserialize’ implementation provided by the ‘versionize’ crate for ‘vmm_sys_utils::fam::FamStructWrapper', which can lead to out of bounds memory accesses. The impact started with version 0.1.1. The issue was corrected in version 0.1.10 by inserting a check that verifies, for any deserialized header, the lengths of compared flexible arrays are equal and aborting deserialization otherwise.

Key dates

02Disclosure timeline

March 24, 2023 CVE published
February 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-3298 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Malformed OSPF Packets Processing Denial of Service Vulnerability CVE-2024-38132 Windows Network Address Translation (NAT) Denial of Service Vulnerability CVE-2021-37679 Heap OOB in nested `tf.map_fn` with `RaggedTensor`s in TensorFlow CVE-2021-21042 Acrobat Reader DC Out-Of-Bounds Read Information Disclosure Vulnerability CVE-2025-11789 Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50