CVE-2019-6250
Description
A pointer overflow in ZeroMQ libzmq v4.2.x to 4.3.0 allows authenticated remote code execution by bypassing bounds checks via integer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A pointer overflow in ZeroMQ libzmq v4.2.x to 4.3.0 allows authenticated remote code execution by bypassing bounds checks via integer overflow.
Vulnerability
A pointer overflow vulnerability exists in ZeroMQ libzmq versions 4.2.x and 4.3.x before 4.3.1. In src/v2_decoder.cpp, the zmq::v2_decoder_t::size_ready() function inadequately validates a peer-supplied msg_size_ value. A very large value causes a pointer overflow in the comparison, allowing an attacker to bypass bounds checking and write arbitrary data beyond the allocated buffer. The issue is present since v4.2.0; older releases are not affected [1][2].
Exploitation
An authenticated attacker can send a crafted message with an excessively large msg_size_ value. This causes an integer overflow in the pointer arithmetic during the bounds check, which evaluates as false even though the data does not fit in the buffer. Consequently, libzmq copies attacker-supplied bytes directly into memory beyond the intended buffer. The attacker must know valid memory addresses for code execution, so ASLR provides mitigation. The attack requires authentication; peers behind CURVE/GSSAPI are not vulnerable to unauthenticated attackers [1][2].
Impact
Successful exploitation allows an authenticated attacker to overwrite memory beyond the receive buffer, which is immediately followed by a content_t structure containing function pointers. By overwriting these pointers, the attacker can inject and execute arbitrary OS commands or code on the target system. The attack does not require typical buffer-overflow control flow manipulation due to the memory layout [1].
Mitigation
The vulnerability is fixed in ZeroMQ libzmq version 4.3.1, released on 2019-01-12 [2]. Users should upgrade to 4.3.1 or later. No workaround is available [3]. The flaw is not exploitable without authentication, so enabling CURVE/GSSAPI protection prevents unauthenticated exploitation [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- osv-coords2 versionspkg:rpm/opensuse/zeromq&distro=openSUSE%20Tumbleweedpkg:rpm/suse/zeromq&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015
< 4.3.4-2.2+ 1 more
- (no CPE)range: < 4.3.4-2.2
- (no CPE)range: < 4.2.3-3.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Pointer arithmetic overflow in the bounds check of zmq::v2_decoder_t::size_ready() allows an attacker-supplied msg_size to bypass the buffer limit check."
Attack vector
An authenticated attacker sends a crafted ZMTP 2.0 message with a very large 64-bit payload size. The pointer arithmetic in `size_ready()` overflows, causing the bounds check to evaluate as false even though the payload does not fit in the allocated buffer [ref_id=1]. This allows the attacker to write arbitrary data beyond the buffer, overwriting the adjacent `content_t` structure that contains a function pointer (`ffn`). By controlling `ffn` and its arguments, the attacker can call arbitrary functions (e.g., `strcpy` then `system`) to execute OS commands on the target [ref_id=1].
Affected code
The vulnerability resides in `src/v2_decoder.cpp` in the functions `zmq::v2_decoder_t::eight_byte_size_ready()` and `zmq::v2_decoder_t::size_ready()`. The attacker-supplied `msg_size` is used in a pointer comparison that can overflow, bypassing the bounds check [ref_id=1].
What the fix does
The advisory states that resolution must prevent pointer arithmetic overflow in `zmq::v2_decoder_t::size_ready()` [ref_id=1]. The patch (not shown in the bundle) would need to ensure that the addition `read_pos_ + msg_size_` cannot wrap around, so that the bounds comparison correctly rejects oversized payloads. Without this fix, an attacker can bypass the check and write beyond the allocated buffer.
Preconditions
- authThe attacker must be able to connect and authenticate to a ZeroMQ endpoint using ZMTP 2.0 protocol.
- inputThe attacker must know or guess the memory layout of the target process (e.g., addresses of strcpy, system, and a writable .data section) to craft the exploit payload.
- configThe target must be running libzmq 4.2.x or 4.3.x before 4.3.1.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- security.gentoo.org/glsa/201903-22mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2019/dsa-4368mitrevendor-advisoryx_refsource_DEBIAN
- github.com/zeromq/libzmq/issues/3351mitrex_refsource_CONFIRM
- github.com/zeromq/libzmq/releases/tag/v4.3.1mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.