CVE-2025-0838
Published: 21 February 2025
Description
There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
Security Summary
CVE-2025-0838 is a heap buffer overflow vulnerability in the Abseil-cpp library (CWE-190: Integer Overflow or Wraparound). It affects the sized constructors, reserve(), and rehash() methods of absl::flat_hash_set, absl::flat_hash_map, absl::node_hash_set, and absl::node_hash_map. These methods failed to impose an upper bound on the size argument, enabling a caller to supply an excessively large value. This triggers an integer overflow when calculating the container's backing store size, leading to an out-of-bounds memory write, with subsequent container accesses potentially causing additional out-of-bounds reads or writes.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required (CVSS v3.1: 9.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By passing a crafted large size argument to the vulnerable methods, the attacker induces the overflow and out-of-bounds write, which could result in arbitrary code execution, data corruption, or denial of service through memory corruption in applications relying on these Abseil-cpp hash container implementations.
Mitigation involves upgrading Abseil-cpp past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1, as detailed in the project's GitHub commit. Debian LTS has also announced updates addressing this issue in affected packages.
Details
- CWE(s)