CVE-2023-37187 – CVE-2023-37187 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2023-37187?

CVE-2023-37187 has a CVSS score of 7.5 (HIGH). CVE-2023-37187 is a NULL pointer dereference vulnerability in c-blosc2's zfp compression module that can cause denial of service (crash) when processing malicious data. This affects applications using c-blosc2 for data compression/decompression, particularly those handling untrusted input. The vulnerability is in the zfp_acc_decompress function and requires the zfp plugin to be enabled.

📋 TL;DR

CVE-2023-37187 is a NULL pointer dereference vulnerability in c-blosc2's zfp compression module that can cause denial of service (crash) when processing malicious data. This affects applications using c-blosc2 for data compression/decompression, particularly those handling untrusted input. The vulnerability is in the zfp_acc_decompress function and requires the zfp plugin to be enabled.

💻 Affected Systems

Products:

c-blosc2

Versions: All versions before 2.9.3

Operating Systems: All platforms where c-blosc2 is used

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the zfp compression plugin is enabled and used. The vulnerability is in the zfp/blosc2-zfp.c file.

📦 What is this software?

C Blosc2 by Blosc

View all CVEs affecting C Blosc2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service, potentially disrupting data processing pipelines or services relying on c-blosc2 for compression operations.

🟠

Likely Case

Application instability or crash when processing specially crafted compressed data, resulting in service interruption.

🟢

If Mitigated

Minimal impact if proper input validation and error handling are implemented at the application layer.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending malicious compressed data to vulnerable endpoints, but many internet-facing services may not expose c-blosc2 functionality directly.

🏢 Internal Only: MEDIUM - Internal applications processing untrusted compressed data could be affected, but exploitation requires specific conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious compressed data that triggers the NULL pointer dereference. No authentication is needed if the vulnerable function processes external input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.3

Vendor Advisory: https://github.com/Blosc/c-blosc2/commit/425e8a9a59d49378d57e2116b6c9b0190a5986f5

Restart Required: Yes

Instructions:

1. Update c-blosc2 to version 2.9.3 or later. 2. Recompile any applications using c-blosc2. 3. Restart affected services. 4. For package managers: Use appropriate update command (apt-get upgrade, yum update, etc.) for your distribution.

🔧 Temporary Workarounds

Disable zfp plugin

all

Disable the zfp compression plugin if not required, as the vulnerability is specific to this component.

Recompile c-blosc2 with -DBLOSC2_ZFP_SUPPORT=OFF or modify build configuration to exclude zfp support.

🧯 If You Can't Patch

Implement input validation and sanitization for compressed data before passing to c-blosc2 functions.
Use application-level error handling to catch and manage crashes from c-blosc2 operations.

🔍 How to Verify

Check if Vulnerable:

Check c-blosc2 version and if zfp plugin is enabled. For compiled applications, check linked library versions.

Check Version:

For library: blosc2_get_version() function. For packages: dpkg -l libblosc2* or rpm -qa | grep blosc2

Verify Fix Applied:

Verify c-blosc2 version is 2.9.3 or later and recompile applications with the updated library.

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults when processing compressed data
Error messages related to NULL pointer dereference in c-blosc2/zfp functions

Network Indicators:

Unusual patterns of compressed data being sent to services using c-blosc2

SIEM Query:

Process crashes with module containing 'blosc2' or 'zfp' in stack trace

📊 Metadata

CVE ID: CVE-2023-37187

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: December 25, 2023

Last Updated: April 25, 2025

🔗 References

https://github.com/Blosc/c-blosc2/commit/425e8a9a59d49378d57e2116b6c9b0190a5986f5 Patch
https://github.com/Blosc/c-blosc2/compare/v2.9.2...v2.9.3 Release Notes
https://github.com/Blosc/c-blosc2/issues/520 Exploit,Issue Tracking,Vendor Advisory
https://github.com/Blosc/c-blosc2/commit/425e8a9a59d49378d57e2116b6c9b0190a5986f5 Patch
https://github.com/Blosc/c-blosc2/compare/v2.9.2...v2.9.3 Release Notes
https://github.com/Blosc/c-blosc2/issues/520 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37187, you might also want to check these: