CVE-2023-37185 – CVE-2023-37185 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2023-37185?

CVE-2023-37185 has a CVSS score of 7.5 (HIGH). CVE-2023-37185 is a NULL pointer dereference vulnerability in c-blosc2's zfp_prec_decompress function that can cause denial of service (crash) when processing malicious compressed data. This affects applications using c-blosc2 library versions before 2.9.3 for data compression/decompression. The vulnerability requires processing untrusted input to trigger.

📋 TL;DR

CVE-2023-37185 is a NULL pointer dereference vulnerability in c-blosc2's zfp_prec_decompress function that can cause denial of service (crash) when processing malicious compressed data. This affects applications using c-blosc2 library versions before 2.9.3 for data compression/decompression. The vulnerability requires processing untrusted input to trigger.

💻 Affected Systems

Products:

c-blosc2 library
Applications using c-blosc2 for compression

Versions: All versions before 2.9.3

Operating Systems: All platforms where c-blosc2 is used

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the zfp compression backend; only affects systems using zfp compression in c-blosc2.

📦 What is this software?

C Blosc2 by Blosc

View all CVEs affecting C Blosc2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service, potentially disrupting dependent services or causing data loss if crash occurs during critical operations.

🟠

Likely Case

Application crash when processing malicious or malformed compressed data, resulting in temporary service unavailability.

🟢

If Mitigated

Minimal impact if proper input validation and error handling are implemented, though crashes may still occur.

🌐 Internet-Facing: MEDIUM - Exploitable if application processes untrusted compressed data from external sources, but requires specific conditions.

🏢 Internal Only: LOW - Lower risk in controlled environments unless processing untrusted data from internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to provide malicious compressed data to vulnerable function; no authentication needed if application accepts external input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.3

Vendor Advisory: https://github.com/Blosc/c-blosc2/commit/425e8a9a59d49378d57e2116b6c9b0190a5986f5

Restart Required: Yes

Instructions:

1. Update c-blosc2 to version 2.9.3 or later. 2. Recompile applications using c-blosc2. 3. Restart affected services. 4. Verify the fix by checking version and testing with known safe data.

🔧 Temporary Workarounds

Disable zfp compression

all

Disable zfp compression backend if not required, using alternative compression methods.

Configure applications to use blosclz, lz4, or zstd instead of zfp

Input validation

all

Implement strict input validation for compressed data before passing to c-blosc2.

🧯 If You Can't Patch

Implement network segmentation to limit access to services using c-blosc2
Deploy application-level firewalls to filter suspicious compressed data inputs

🔍 How to Verify

Check if Vulnerable:

Check c-blosc2 version: if version < 2.9.3 and zfp compression is used, system is vulnerable.

Check Version:

Check library version in application or use: pkg-config --modversion c-blosc2 (if installed)

Verify Fix Applied:

Verify c-blosc2 version is 2.9.3 or later and test decompression with various inputs.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Error logs mentioning zfp_prec_decompress failures
Unexpected process termination during data decompression

Network Indicators:

Unusual compressed data patterns sent to services
Repeated connection attempts followed by service crashes

SIEM Query:

Process termination events from applications using c-blosc2 combined with incoming network traffic patterns

📊 Metadata

CVE ID: CVE-2023-37185

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: December 25, 2023

Last Updated: April 25, 2025

🔗 References

https://github.com/Blosc/c-blosc2/commit/425e8a9a59d49378d57e2116b6c9b0190a5986f5 Patch
https://github.com/Blosc/c-blosc2/compare/v2.9.2...v2.9.3 Release Notes
https://github.com/Blosc/c-blosc2/issues/519 Exploit,Issue Tracking,Vendor Advisory
https://github.com/Blosc/c-blosc2/commit/425e8a9a59d49378d57e2116b6c9b0190a5986f5 Patch
https://github.com/Blosc/c-blosc2/compare/v2.9.2...v2.9.3 Release Notes
https://github.com/Blosc/c-blosc2/issues/519 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37185, you might also want to check these: