CVE-2015-5380

Google V8 <0.12.6, io.js <1.8.3, 2.x <2.3.3 - Memory Corruption

Title source: llm

Description

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.

References (5)

Core 5

Core References

Patch x_refsource_confirm

https://codereview.chromium.org/1226493003

Issue Tracking x_refsource_confirm

https://github.com/joyent/node/issues/25583

Patch x_refsource_confirm

http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/75556

Various Sources x_refsource_confirm

https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852

Scores

EPSS 0.0062

EPSS Percentile 70.3%

Details

CWE

CWE-119

Status published

Products (12)

google/v8

iojs/io.js 2.0.0

iojs/io.js 2.0.1

iojs/io.js 2.0.2

iojs/io.js 2.1.0

iojs/io.js 2.2.0

iojs/io.js 2.2.1

iojs/io.js 2.3.0

iojs/io.js 2.3.1

iojs/io.js 2.3.2

... and 2 more

Published Jul 09, 2015

Tracked Since Feb 18, 2026