CVE-2018-3972

CRITICAL

Monero - Insecure Deserialization

Title source: rule

Description

An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

References (2)

[Third Party Advisory] https://blog.talosintelligence.com/2018/09/epee-levin-vuln.html

[Exploit, Third Party Advisory] https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0637

Scores

CVSS v3 9.8

EPSS 0.0077

EPSS Percentile 73.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

getmonero/monero

Timeline

Published Sep 26, 2018

Tracked Since Feb 18, 2026