CVE-2023-27754 – CVE-2023-27754 is a stack buffer overflow vulne... (How to Fix)

Q: What is the severity of CVE-2023-27754?

CVE-2023-27754 has a CVSS score of 5.5 (MEDIUM). CVE-2023-27754 is a stack buffer overflow vulnerability in vox2mesh 1.0 caused by improper use of memcpy() function. Attackers can exploit this by providing a specially crafted file to cause denial of service (program crash). Users running vox2mesh 1.0 are affected.

📋 TL;DR

CVE-2023-27754 is a stack buffer overflow vulnerability in vox2mesh 1.0 caused by improper use of memcpy() function. Attackers can exploit this by providing a specially crafted file to cause denial of service (program crash). Users running vox2mesh 1.0 are affected.

💻 Affected Systems

Products:

vox2mesh

Versions: 1.0

Operating Systems: All platforms where vox2mesh runs

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration when processing files.

📦 What is this software?

Vox2mesh by Vox2mesh Project

View all CVEs affecting Vox2mesh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution if the overflow can be controlled to execute arbitrary code, though the current description only mentions denial of service.

🟠

Likely Case

Denial of service causing the vox2mesh application to crash when processing malicious files.

🟢

If Mitigated

No impact if the vulnerable software is not used or if input validation prevents malicious files.

🌐 Internet-Facing: MEDIUM - If vox2mesh is exposed to untrusted file uploads from the internet, attackers could cause service disruption.

🏢 Internal Only: LOW - Internal users would need to intentionally provide malicious files to cause denial of service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code is publicly available, making exploitation straightforward for attackers with access to malicious files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider workarounds or alternative software.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject files that could trigger the overflow

Memory Protection

all

Enable stack protection mechanisms like ASLR and DEP if supported by the operating system

🧯 If You Can't Patch

Restrict file processing to trusted sources only
Monitor for abnormal application crashes and investigate any suspicious files

🔍 How to Verify

Check if Vulnerable:

Check if vox2mesh version 1.0 is installed on the system

Check Version:

Check application documentation or run vox2mesh with version flag if available

Verify Fix Applied:

Verify that vox2mesh is no longer version 1.0 or has been removed

📡 Detection & Monitoring

Log Indicators:

Application crash logs from vox2mesh
Segmentation fault or abort messages

Network Indicators:

Unusual file uploads to systems running vox2mesh

SIEM Query:

Search for process termination events related to vox2mesh or segmentation faults

📊 Metadata

CVE ID: CVE-2023-27754

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: March 22, 2023

Last Updated: February 26, 2025

🔗 References

https://github.com/10cksYiqiyinHangzhouTechnology/vox2mesh_poc Exploit,Third Party Advisory
https://github.com/10cksYiqiyinHangzhouTechnology/vox2mesh_poc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27754, you might also want to check these: