CVE-2024-25110

CRITICAL

Microsoft azure-uamqp < 2024-02-01 - Remote Code Execution via open_get_offered_capabilities Use-After-Free

Title source: llm

Description

The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v

Patch x_refsource_misc

https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0664

EPSS Percentile 93.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-416 CWE-94

Status published

Products (1)

microsoft/azure_uamqp < 2024-02-01

Published Feb 12, 2024

Tracked Since Feb 18, 2026