CVE-2024-36626 – A NULL pointer dereference vulnerability exists... (How to Fix)

Q: What is the severity of CVE-2024-36626?

CVE-2024-36626 has a CVSS score of 5.3 (MEDIUM). A NULL pointer dereference vulnerability exists in PrestaShop 8.1.4's math_round function in Tools.php. This vulnerability could cause the application to crash when processing certain malformed input. All PrestaShop 8.1.4 installations using the affected function are potentially vulnerable.

📋 TL;DR

A NULL pointer dereference vulnerability exists in PrestaShop 8.1.4's math_round function in Tools.php. This vulnerability could cause the application to crash when processing certain malformed input. All PrestaShop 8.1.4 installations using the affected function are potentially vulnerable.

💻 Affected Systems

Products:

PrestaShop

Versions: 8.1.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where the math_round function is called with NULL or malformed input.

📦 What is this software?

Prestashop by Prestashop

View all CVEs affecting Prestashop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes leading to denial of service, potentially disrupting e-commerce operations and causing revenue loss.

🟠

Likely Case

Application instability or crashes when processing specific malformed data through the math_round function.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place.

🌐 Internet-Facing: MEDIUM - Attackers could potentially trigger the vulnerability remotely if they can supply input to the affected function.

🏢 Internal Only: LOW - Requires access to application functionality that uses the math_round function.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires triggering the math_round function with specific input. The GitHub commit shows the exact vulnerable code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 20fa542294da2cfa034a48041e292acaed0c2a7f and later versions

Vendor Advisory: https://github.com/prestashop/prestashop/commit/20fa542294da2cfa034a48041e292acaed0c2a7f

Restart Required: No

Instructions:

1. Update to the latest PrestaShop version. 2. Apply the specific commit 20fa542294da2cfa034a48041e292acaed0c2a7f. 3. Replace the vulnerable Tools.php file with the patched version.

🔧 Temporary Workarounds

Input Validation Workaround

all

Add input validation before calling math_round function to ensure parameters are not NULL

Modify code to check if input parameters are valid before calling math_round

🧯 If You Can't Patch

Implement web application firewall rules to block malformed input to affected endpoints
Disable or restrict access to functionality that uses the math_round function

🔍 How to Verify

Check if Vulnerable:

Check if your PrestaShop version is 8.1.4 and review the Tools.php file at line 1774 for the vulnerable math_round implementation

Check Version:

Check PrestaShop version in configuration files or admin panel

Verify Fix Applied:

Verify that the math_round function in Tools.php includes proper NULL checks as shown in the fix commit

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults in error logs
Unusual NULL pointer exceptions in application logs

Network Indicators:

HTTP 500 errors from PrestaShop endpoints
Unusual traffic patterns to math_round related functionality

SIEM Query:

source="prestashop_logs" AND ("NULL pointer" OR "segmentation fault" OR "math_round")

📊 Metadata

CVE ID: CVE-2024-36626

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

Published: November 29, 2024

Last Updated: September 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36626, you might also want to check these: