We use cookies to improve your experience on our site.
AVID-2026-R1435
Description
Use after free in C++ protobuf (CVE-2024-2410)
Details
The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed.
Reason for inclusion in AVID: The CVEVac is a software vulnerability (use-after-free) in the protocol buffers C++ library (protobuf). Protobuf is a widely used dependency in AI software stacks for data serialization, ingestion, and model serving pipelines. This vulnerability concerns software components that are part of the AI supply chain (dependencies, runtimes, libraries) and could affect AI systems during build/deploy/run phases. It is a security vulnerability with clear CVE signaling and CVSS details, providing sufficient evidence in the report.
References
Affected or Relevant Artifacts
- Developer: protocolbuffers
- Deployer: protocolbuffers
- Artifact Details:
| Type | Name |
|---|---|
| System | protobuf |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
| Base Score | 7.6 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🟢 Low |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-416 | CWE-416 Use After Free |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-05-03
- Version: 0.3.3
- AVID Entry