CVE-2023-22895
HIGHbzip2 < 0.4.4 - Denial of Service via Integer Overflow in mem.rs
Title source: llmDescription
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
References (5)
Core 5
Core References
Patch, Third Party Advisory
https://crates.io/crates/bzip2/versions
Exploit, Patch, Third Party Advisory
https://github.com/alexcrichton/bzip2-rs/pull/86
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MI5SVRSGKBWB2JGDLDVIFY5ZQVDZP6I7/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQK57GGXJX3AH7KF6S7S3N7JC5QOYUQ7/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUK2JO25PPA6XBREKJRBLRCD22LKIOLO/
Scores
CVSS v3
7.5
EPSS
0.0121
EPSS Percentile
64.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-190
Status
published
Products (2)
bzip2_project/bzip2
< 0.4.4
crates.io/bzip2
0 - 0.4.4crates.io
Published
Jan 10, 2023
Tracked Since
Feb 18, 2026