CVE-2020-28723

Vulnerability

CVE-2020-28723 describes a memory leak in the IPv6Param::setAddress function of CloudAvid PParam version 1.3.1. The leak occurs in pparam::IPParam::split at /home/fuzz/codes/libfuzzer/PParam/src/sparam.cpp:905, as shown by AddressSanitizer output [1][2]. No special configuration is required — the code path is reachable when an application uses the library to parse an IPv6 address string.

Exploitation

An attacker can trigger the leak by supplying a malformed or carefully crafted IPv6 address string to an application that uses the vulnerable IPv6Param::setAddress method. No authentication or special network position is required; the attack vector is remote if the affected application accepts user-supplied network addresses. The fuzzer output in [1] demonstrates that repeatedly feeding such input causes a direct leak of 104 bytes per call.

Impact

Each invocation of the vulnerable code path leaks memory. Over repeated calls, this resource exhaustion can degrade performance and eventually crash the consuming application, leading to a denial-of-service (DoS) condition. No code execution or information disclosure is indicated by the available references.

Mitigation

The maintainer has not released a patched version as of the references' publication date [2]. Users should monitor the project's GitHub repository for any future fix. If the library is used in a service that processes untrusted input, consider implementing additional input validation or rate limiting to reduce exposure.