CVE-2024-53984
📋 TL;DR
This vulnerability in Nanopb's Protocol Buffers implementation causes a memory leak when specific conditions are met during message decoding. It affects systems using Nanopb with PB_ENABLE_MALLOC enabled, custom stream callbacks, and delimited decoding. The memory leak could lead to denial-of-service over time.
💻 Affected Systems
- Nanopb Protocol Buffers implementation
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust system memory, causing application crashes or system instability leading to denial-of-service.
Likely Case
Gradual memory consumption increase over time, potentially causing application performance degradation or crashes during extended operation.
If Mitigated
Minimal impact with proper monitoring and memory limits in place; occasional memory leaks that don't significantly affect system stability.
🎯 Exploit Status
Exploitation requires specific configuration conditions and ability to trigger the vulnerable code path with controlled input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.9.1
Vendor Advisory: https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
Restart Required: Yes
Instructions:
1. Update Nanopb to version 0.4.9.1 or later
2. Recompile applications using the updated library
3. Restart affected services
🔧 Temporary Workarounds
Disable PB_ENABLE_MALLOC
allCompile without PB_ENABLE_MALLOC option if memory allocation features are not required
Modify build configuration to remove -DPB_ENABLE_MALLOC
Avoid PB_DECODE_DELIMITED with custom streams
allUse alternative decoding methods when using custom stream callbacks with unknown length
🧯 If You Can't Patch
- Implement memory usage monitoring and alerts for abnormal consumption patterns
- Configure application memory limits and automatic restart policies for memory exhaustion scenarios
🔍 How to Verify
Check if Vulnerable:
Check if application uses Nanopb version <0.4.9.1 with PB_ENABLE_MALLOC enabled and uses pb_decode_ex() with PB_DECODE_DELIMITED flagCheck Version:
Check build configuration for Nanopb version and compile-time optionsVerify Fix Applied:
Verify Nanopb version is 0.4.9.1 or later and recompile applications with updated library📡 Detection & Monitoring
Log Indicators:
- Abnormal memory consumption patterns
- Application crashes due to out-of-memory errors
- Repeated memory allocation failures
Network Indicators:
- Unusually large or frequent Protocol Buffers messages being processed
SIEM Query:
Process memory usage > threshold AND application name contains nanopb-related processes