CVE-2023-27590

2023-03-1421:15:10

CWE-787

CWE-120

CWE-121

[email protected]

web.nvd.nist.gov

rizin

unix-like

reverse engineering

cve-2023-27590

buffer overflow

security vulnerability

patch

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.3%

JSON

Rizin is a UNIX-like reverse engineering framework and command-line toolset. In version 0.5.1 and prior, converting a GDB registers profile file into a Rizin register profile can result in a stack-based buffer overflow when the name, type, or groups fields have longer values than expected. Users opening untrusted GDB registers files (e.g. with the drpg or arpg commands) are affected by this flaw. Commit d6196703d89c84467b600ba2692534579dc25ed4 contains a patch for this issue. As a workaround, review the GDB register profiles before loading them with drpg/arpg commands.

Affected configurations

Vulners

NVD

Node

rizinorgrizinRange≤0.5.1

CPENameOperatorVersion
rizin:rizinrizinle0.5.1

CPE	Name	Operator	Version
rizin:rizin	rizin	le	0.5.1

CNA Affected

[
  {
    "vendor": "rizinorg",
    "product": "rizin",
    "versions": [
      {
        "version": "<= 0.5.1",
        "status": "affected"
      }
    ]
  }
]