CVE-2024-57645

Vulnerability

The vulnerability resides in the qi_inst_state_free function within Virtuoso Open-Source version 7.2.11. A specially crafted SQL statement, such as a SELECT with GROUP BY rollup and a JSON-like string literal, triggers a null pointer dereference or similar memory corruption, resulting in a crash. The issue was reproduced using the provided proof-of-concept on the official Docker image [1].

Exploitation

An attacker must have the ability to execute arbitrary SQL statements against the Virtuoso database server. This typically requires authenticated access (e.g., as the dba user) or a network connection to the server's SQL interface. The attacker sends the malicious SQL query, which causes the server process to crash, as demonstrated by the backtrace showing a crash at qi_inst_state_free+0x52 [1].

Impact

Successful exploitation leads to a denial of service (DoS) by crashing the Virtuoso server process. This disrupts database availability for legitimate users. No data confidentiality or integrity impact is reported; the attack solely affects availability.

Mitigation

As of the publication date (2025-01-14), no official patch or fixed version has been released. Users are advised to monitor the Virtuoso Open-Source repository for updates [1]. If immediate mitigation is required, restricting SQL execution privileges to trusted users or applying network-level access controls may reduce exposure, but these are not complete solutions.