CVE-2018-13348
HIGHMercurial < 4.6.1 - Denial of Service via mpatch_decode Function
Title source: llmDescription
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
Vendor Advisory x_refsource_misc
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
Scores
CVSS v3
7.5
EPSS
0.0209
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
mercurial/mercurial
< 4.6.1
pypi/mercurial
0 - 4.6.1PyPI
Published
Jul 06, 2018
Tracked Since
Feb 18, 2026