Skip to main content

Grpc CVE-2024-11407

MEDIUM
Incorrect Calculation (CWE-682)
2024-11-26 cve-coordination@google.com
6.9
CVSS 4.0 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:X/RE:L/U:Green

Primary rating from Vendor (google) · only source for this CVE.

CVSS VectorVendor: google

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:X/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

1
CVE Published
Nov 26, 2024 - 17:15 cve.org
MEDIUM 6.9

DescriptionCVE.org

There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before transmission over the network thus leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791

AnalysisAI

There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable.

Technical ContextAI

This vulnerability is classified under CWE-682. There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before transmission over the network thus leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 Affected products include: Grpc.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Grpc

View all
CVE-2017-8359 CRITICAL POC
9.8 Apr 30

Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_

CVE-2024-7246 MEDIUM POC
6.3 Aug 06

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the ba

CVE-2017-7860 CRITICAL
9.8 Apr 14

Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_uni

CVE-2017-7861 CRITICAL
9.8 Apr 14

Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c. R

CVE-2017-9431 CRITICAL
9.8 Jun 05

Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomg

CVE-2020-7768 CRITICAL
9.8 Nov 11

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPac

CVE-2026-48853 CRITICAL
9.2 Jun 15

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remo

CVE-2026-53430 HIGH
8.7 Jun 15

Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to cra

CVE-2026-48854 HIGH
8.7 Jun 15

Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a sin

CVE-2026-48599 HIGH
7.6 Jun 15

Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers

CVE-2023-4785 HIGH
7.5 Sep 13

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Rated

CVE-2023-33953 HIGH
7.5 Aug 09

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clien

Share

CVE-2024-11407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy