CVE-2023-6180 MEDIUM

CVE-2023-6180: Resource exhaustion via memory leak in tokio-boring

Vendor Cloudflare

Product tokio-boring

Weakness CWE-400

Published December 5, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

Key dates

02Disclosure timeline

December 5, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-6180 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

CVE-2023-6180: Resource exhaustion via memory leak in tokio-boring

01Description

02Disclosure timeline

03References

04Related CVE