CVE-2024-26149: Vyper's `_abi_decode` vulnerable to Memory Overflow
(updated )
If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.
References
- github.com/advisories/GHSA-9p8r-4xp4-gw5w
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/pull/3925
- github.com/vyperlang/vyper/pull/4060
- github.com/vyperlang/vyper/pull/4091
- github.com/vyperlang/vyper/pull/4144
- github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w
- nvd.nist.gov/vuln/detail/CVE-2024-26149
Code Behaviors & Features
Detect and mitigate CVE-2024-26149 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →