CVE-2023-43632: EVE Freely Allocates Buffer on The Stack With Data From Socket

February 4, 2026

VTPM server listens on port 8877, exposing limited TPM functionality. The server reads 4 bytes as a uint32 size header, then allocates that amount on the stack for incoming data. This allows Denial of Service attacks against the vTPM service.

An workload (a container or VM) running on EVE-OS can use this to generate a DOS against the vTPM service.

References

asrg.io/security-advisories/cve-2023-43632
asrg.io/security-advisories/freely-allocate-buffer-on-the-stack-with-data-from-socket
github.com/advisories/GHSA-6jp5-grgh-jw42
github.com/lf-edge/eve
github.com/lf-edge/eve/security/advisories/GHSA-6jp5-grgh-jw42
nvd.nist.gov/vuln/detail/CVE-2023-43632

Code Behaviors & Features

Detect and mitigate CVE-2023-43632 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →