Critical severity9.8NVD Advisory· Published Dec 10, 2017· Updated May 13, 2026

CVE-2017-17484

Description

The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.

Affected products

Icu Project/International Components For Unicode
cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c\/c\+\+:*:*
Range: <=60.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

ssl.icu-project.org/trac/changeset/40714nvdIssue TrackingPatchVendor Advisory
ssl.icu-project.org/trac/attachment/ticket/13490/poc.cppnvdExploitVendor Advisory
github.com/znc/znc/issues/1459nvdIssue TrackingThird Party Advisory
ssl.icu-project.org/trac/changeset/40715nvdIssue TrackingVendor Advisory
ssl.icu-project.org/trac/ticket/13490nvdIssue TrackingVendor Advisory
ssl.icu-project.org/trac/ticket/13510nvdIssue TrackingVendor Advisory
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000