CVE-2019-20063
Description
libmysofa before 0.8 has an uninitialized memory read in hdf/dataobject.c, triggerable via mysofa2json.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libmysofa before 0.8 has an uninitialized memory read in hdf/dataobject.c, triggerable via mysofa2json.
Vulnerability
In libmysofa versions before 0.8, the function hdf/dataobject.c contains a vulnerability where memory is used before being properly initialized. This uninitialized read can be demonstrated using the mysofa2json utility. The issue was present in the codebase up to commit 3dba53f and was resolved in the v0.8 release [1][2].
Exploitation
An attacker can trigger the uninitialized memory read by providing a crafted input file to the mysofa2json tool. No special privileges or authentication are required; the attacker only needs to supply a malicious file that will be processed by the tool. The bug was found via fuzzing, and a proof-of-concept input exists [2].
Impact
Successful exploitation leads to reading uninitialized memory, which could potentially leak sensitive information from the process's address space. The output of mysofa2json may contain this uninitialized data, leading to an information disclosure [1][2].
Mitigation
The vulnerability is fixed in libmysofa version 0.8 and later. Users should upgrade to at least v0.8 to mitigate the issue [1]. No workarounds are available for earlier versions.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- libmysofa/libmysofadescription
- osv-coords2 versionspkg:rpm/opensuse/libmysofa&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/libmysofa&distro=SUSE%20Package%20Hub%2015%20SP2
< 0.9.1-lp152.3.3.1+ 1 more
- (no CPE)range: < 0.9.1-lp152.3.3.1
- (no CPE)range: < 0.9.1-bp152.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/hoene/libmysofa/compare/v0.7...v0.8mitrex_refsource_MISC
- github.com/hoene/libmysofa/issues/67mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.