Vulnerabilities > CVE-2019-14877 - NULL Pointer Dereference vulnerability in Newlib Project Newlib

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

newlib-project

CWE-476

NVD

Published: 2020-03-19

Updated: 2020-03-24

Summary

In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not. The access to _wds and _sign will trigger a null pointer dereference bug in case of a memory allocation failure.

Vulnerable Configurations

Part	Description	Count
Application	Newlib_Project Newlib Project Newlib - Newlib Project Newlib 1.9.0 Newlib Project Newlib 1.10.0 Newlib Project Newlib 1.11.0 Newlib Project Newlib 1.12.0 Newlib Project Newlib 1.13.0 Newlib Project Newlib 1.14.0 Newlib Project Newlib 1.15.0 Newlib Project Newlib 1.16.0 Newlib Project Newlib 1.17.0 Newlib Project Newlib 1.18.0 Newlib Project Newlib 1.19.0 Newlib Project Newlib 1.20.0 Newlib Project Newlib 2.0.0 Newlib Project Newlib 2.1.0 Newlib Project Newlib 2.2.0 Newlib Project Newlib 2.3.0 Newlib Project Newlib 2.4.0 Newlib Project Newlib 2.5.0 Newlib Project Newlib 3.0.0 Newlib Project Newlib 3.1.0 Newlib Project Newlib 3.2.0	22

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/