Unrated severityNVD Advisory· Published May 21, 2024· Updated Aug 1, 2024

Denial of Service in Tink-cc

CVE-2024-4420

Description

There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3. * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object.

An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow.

We recommend upgrading to version 2.1.3 or above

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Tink-cc/Tink-ccllm-create
Range: <2.1.3
Google/Tinkcpe-rescue
Range: 2.0.0
Google/Tink (Legacy)v5
Range: 0

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/tink-crypto/tink-cc/issues/4mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000