Login Sign Up

CVE-2018-17231

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2018-17231 is a disputed denial-of-service vulnerability in Telegram Desktop that could cause the application to crash when users perform specific 'Edit color palette' searches. The vulnerability affects Telegram Desktop users running version 1.3.14. Note that this issue is disputed because it doesn't cross privilege boundaries and requires user interaction.

💻 Affected Systems

Products:
  • Telegram Desktop (tdesktop)
Versions: 1.3.14
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the desktop client, not mobile apps or Telegram servers. Requires user to access and use the color palette editing feature.

📦 What is this software?

Telegram Desktop by Telegram

View all CVEs affecting Telegram Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes and exits, causing temporary denial of service for the user. No privilege escalation or data compromise occurs.

🟠

Likely Case

User experiences application crash when performing specific color palette editing operations, requiring restart of Telegram Desktop.

🟢

If Mitigated

Minimal impact - user simply restarts the application with no data loss or system compromise.

🌐 Internet-Facing: LOW - Requires local user interaction with the application interface, not exploitable remotely.
🏢 Internal Only: LOW - Even internally, requires user to perform specific actions within the application.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction with the application GUI. The vulnerability is disputed as it doesn't cross privilege boundaries and only causes application crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.3.14

Vendor Advisory: https://github.com/telegramdesktop/tdesktop

Restart Required: Yes

Instructions:

1. Open Telegram Desktop. 2. Go to Settings > Advanced > Check for updates. 3. Install any available updates. 4. Restart Telegram Desktop.

🔧 Temporary Workarounds

Avoid color palette editing

all

Do not use the 'Edit color palette' search feature in Telegram Desktop

🧯 If You Can't Patch

  • Avoid using the color palette editing feature in Telegram Desktop
  • Use Telegram web or mobile clients as alternatives

🔍 How to Verify

Check if Vulnerable:

Check Telegram Desktop version in Settings > Advanced > Version. If version is 1.3.14, you are vulnerable.

Check Version:

On Linux: telegram-desktop --version. On Windows: Check Help > About in application.

Verify Fix Applied:

Update to latest version and verify version is greater than 1.3.14 in Settings > Advanced > Version.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs mentioning 'assertion failure' or 'index out of range'
  • Unexpected Telegram Desktop process termination

Network Indicators:

  • No network indicators - this is a local application crash

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName='Telegram.exe' AND (Message contains 'assertion' OR Message contains 'index out of range')

📊 Metadata

CVE ID: CVE-2018-17231
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: September 19, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17231, you might also want to check these:

CVE-2020-3615 9.8

This vulnerability in Qualcomm Snapdragon chipsets allows attackers to perform denial-of-service att...

Same vulnerability type (CWE-617)
CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)