CVE-2024-57644
Description
An issue in the itc_hash_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An assertion failure in itc_hash_compare in OpenLink Virtuoso v7.2.11 triggers a DoS via a crafted SQL sequence.
Vulnerability
A flaw exists in the itc_hash_compare function within OpenLink Virtuoso Open-Source v7.2.11, exposed when processing a complex SQL statement with nested subqueries and a column reference to an outer table inside the RANK window function. The condition is reachable through standard SQL syntax, requiring no special database configuration. [1]
Exploitation
An attacker only needs the ability to issue SQL queries (e.g., INSERT, UPDATE with subqueries) to the database. The Proof-of-Concept provided [1] consists of creating a simple table, inserting rows, then executing an UPDATE that contains a subquery with a CASE WHEN condition referencing the outer table inside RANK. The server crashes immediately upon executing this statement.
Impact
Successful exploitation results in a Denial of Service (DoS) — the Virtuoso process crashes, terminating all active connections and requiring manual restart. No data compromise or privilege escalation is indicated by the source. [1]
Mitigation
No official fix or patched version has been released as of January 2025. The affected version is OpenLink Virtuoso Open-Source v7.2.11. Users may mitigate by restricting SQL statement complexity or by applying input validation to block known patterns, though no vendor-provided workaround is documented. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.