CVE-2025-4432

A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2025-4432
https://bugzilla.redhat.com/show_bug.cgi?id=2350655
https://github.com/briansmith/ring
https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05
https://github.com/briansmith/ring/commit/ec2d3cf1d91f148c84e4806b4f0b3c98f6df3b38
https://github.com/briansmith/ring/pull/2447
https://rustsec.org/advisories/RUSTSEC-2025-0009.html

Configurations

No configuration.

History

12 May 2025, 17:32

Type	Values Removed	Values Added
Summary		(es) Se encontró una falla en el paquete Ring de Rust. Se puede generar un pánico al habilitar la comprobación de desbordamiento. En el protocolo QUIC, esta falla permite a un atacante inducir este pánico mediante el envío de un paquete especialmente manipulado. Es probable que ocurra involuntariamente en 1 de cada 2**32 paquetes enviados o recibidos.

09 May 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-09 16:15

Updated : 2025-05-12 17:32

NVD link : CVE-2025-4432

Mitre link : CVE-2025-4432

CVE.ORG link : CVE-2025-4432

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-4432", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-05-09T16:15:25.467", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-4432", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2350655", "source": "secalert@redhat.com"}, {"url": "https://github.com/briansmith/ring", "source": "secalert@redhat.com"}, {"url": "https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05", "source": "secalert@redhat.com"}, {"url": "https://github.com/briansmith/ring/commit/ec2d3cf1d91f148c84e4806b4f0b3c98f6df3b38", "source": "secalert@redhat.com"}, {"url": "https://github.com/briansmith/ring/pull/2447", "source": "secalert@redhat.com"}, {"url": "https://rustsec.org/advisories/RUSTSEC-2025-0009.html", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el paquete Ring de Rust. Se puede generar un p\u00e1nico al habilitar la comprobaci\u00f3n de desbordamiento. En el protocolo QUIC, esta falla permite a un atacante inducir este p\u00e1nico mediante el env\u00edo de un paquete especialmente manipulado. Es probable que ocurra involuntariamente en 1 de cada 2**32 paquetes enviados o recibidos."}], "lastModified": "2025-05-12T17:32:32.760", "sourceIdentifier": "secalert@redhat.com"}

5.3 /10