Vulnerabilities > CVE-2023-6180 - Memory Leak vulnerability in Cloudflare Boring 4.0.0

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

LOW

network

low complexity

cloudflare

CWE-401

NVD

Published: 2023-12-05

Updated: 2023-12-12

Summary

The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

Vulnerable Configurations

Part	Description	Count
Application	Cloudflare Cloudflare Boring 4.0.0	1

Common Weakness Enumeration (CWE)

CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

References

https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4