CVE-2022-36124

HIGH

Apache Avro Rust SDK <0.14.0 - Memory Corruption

Title source: llm
STIX 2.1

Description

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

References (1)

Core 1
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/kj429rzo1xxjgz058qqqg0y7c0p512zo

Scores

CVSS v3 7.5
EPSS 0.0128
EPSS Percentile 66.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (3)
apache/avro < 0.14.0
Apache Software Foundation/Apache Avro unspecified - 0.14.0
crates.io/apache-avro 0 - 0.14.0crates.io
Published Aug 09, 2022
Tracked Since Feb 18, 2026