CVE-2023-28638 – Snappier 1.1.0 contains a buffer overrun vulner... (How to Fix)

Q: What is the severity of CVE-2023-28638?

CVE-2023-28638 has a CVSS score of 7.0 (HIGH). Snappier 1.1.0 contains a buffer overrun vulnerability due to byte references briefly pointing outside valid buffer areas during garbage collection compaction. This could allow attackers to cause denial of service through process termination, and potentially more severe impacts if memory corruption occurs. All users of Snappier 1.1.0 are affected.

📋 TL;DR

Snappier 1.1.0 contains a buffer overrun vulnerability due to byte references briefly pointing outside valid buffer areas during garbage collection compaction. This could allow attackers to cause denial of service through process termination, and potentially more severe impacts if memory corruption occurs. All users of Snappier 1.1.0 are affected.

💻 Affected Systems

Products:

Snappier

Versions: 1.1.0 only

Operating Systems: All platforms running .NET

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects version 1.1.0; earlier versions use different pointer implementations and are not vulnerable.

📦 What is this software?

Snappier by Snappier Project

View all CVEs affecting Snappier →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution or data exposure, though this is unlikely due to memory protection mechanisms.

🟠

Likely Case

Denial of service through process termination when protected memory is accessed, causing an exception.

🟢

If Mitigated

No impact if patched to version 1.1.1 or with proper buffer pinning controls.

🌐 Internet-Facing: MEDIUM - Requires specific timing and malformed input, but internet-facing services using Snappier compression could be targeted for DoS.

🏢 Internal Only: LOW - Internal systems are less likely to face targeted attacks, but the vulnerability still exists.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires precise timing of garbage collection compaction during buffer range checks, making it difficult to trigger intentionally.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.1

Vendor Advisory: https://github.com/brantburnett/Snappier/security/advisories/GHSA-838x-pcvx-6p5w

Restart Required: Yes

Instructions:

1. Update Snappier package to version 1.1.1 via package manager. 2. Rebuild and redeploy applications using Snappier. 3. Restart affected services.

🔧 Temporary Workarounds

Pin buffers before use

all

Manually pin buffers to fixed memory locations before compression/decompression operations to prevent garbage collector movement.

// C# code: using (var handle = buffer.Pin()) { /* compression/decompression */ }

🧯 If You Can't Patch

Implement input validation to reject malformed compression data that could increase exploitation chances.
Monitor application logs for unexpected process terminations or memory access exceptions.

🔍 How to Verify

Check if Vulnerable:

Check Snappier package version in your project dependencies; version 1.1.0 is vulnerable.

Check Version:

dotnet list package | findstr Snappier

Verify Fix Applied:

Confirm Snappier package version is 1.1.1 or higher in your project dependencies.

📡 Detection & Monitoring

Log Indicators:

AccessViolationException or similar memory access exceptions in application logs
Unexpected process terminations during compression/decompression operations

Network Indicators:

Unusual patterns of compressed data being sent to services using Snappier

SIEM Query:

EventID: Application Error OR Exception: AccessViolationException AND ProcessName contains your application name

📊 Metadata

CVE ID: CVE-2023-28638

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-119

Published: March 27, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28638, you might also want to check these: