{"id":"CVE-2020-5235","details":"There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling `free()` on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.","aliases":["GHSA-gcx3-7m76-287p"],"modified":"2026-05-18T13:02:33.260569Z","published":"2020-02-04T03:15:10.657Z","related":["openSUSE-SU-2024:11074-1"],"references":[{"type":"FIX","url":"https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"},{"type":"FIX","url":"https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"},{"type":"FIX","url":"https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"},{"type":"FIX","url":"https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nanopb/nanopb","events":[{"introduced":"0"},{"fixed":"0c16fe3a18ce6f98ee35bff9ac5b2e0a9f012dfa"},{"introduced":"8dede6095ede2281879b3484fa848210bb63dcfc"},{"fixed":"accfbbbd6840dd796efe835a0bf4f89a0835c238"},{"introduced":"c29ca83ff47a7224172a74ccfee07d91fa040e4c"},{"fixed":"3eb9a75c1e66e6182e87e2bd758ff2a4d16acbdc"},{"fixed":"45582f1f97f49e2abfdba1463d1e1027682d9856"},{"fixed":"7b396821ddd06df8e39143f16e1dc0a4645b89a3"},{"fixed":"aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.2.9.4"},{"introduced":"0.3.0"},{"fixed":"0.3.9.5"},{"introduced":"0.4.0"},{"fixed":"0.4.1"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:nanopb_project:nanopb:*:*:*:*:*:*:*:*"}}],"versions":["nanopb-0.4.0","0.4.0","nanopb-0.3.9.4","0.3.9.4","nanopb-0.3.9.3","0.3.9.3","nanopb-0.3.9.1","0.3.9.1","nanopb-0.4.0-dev","nanopb-0.3.9","0.3.9","nanopb-0.3.8","0.3.8","nanopb-0.3.7","0.3.7","nanopb-0.3.6","0.3.6","nanopb-0.2.9.3","nanopb-0.2.9.2","nanopb-0.3.5","nanopb-0.3.4","nanopb-0.3.3","nanopb-0.3.2","nanopb-0.2.9.1","nanopb-0.3.1","nanopb-0.2.9","nanopb-0.3.0","nanopb-0.2.8","nanopb-0.2.7","nanopb-0.2.6","nanopb-0.2.5","nanopb-0.2.4","nanopb-0.2.3","nanopb-0.2.2","nanopb-0.2.1","nanopb-0.2.0","nanopb-0.1.9","nanopb-0.1.8","nanopb-0.1.7","nanopb-0.1.6","nanopb-0.1.5","nanopb-0.1.4","nanopb-0.1.3","nanopb-0.1.2","nanopb-0.1.1","nanopb-0.1.0"],"database_specific":{"vanir_signatures_modified":"2026-05-18T13:02:33Z","vanir_signatures":[{"digest":{"line_hashes":["28180582548366321054064859592678936499","173130919475097003140702953372688074728","110934570171770968869145982918882243485","98635544888241784543358525741201591600","253840358417371228185192742968541973977","262069779449910844287220592185549273856","339621988144188041086437483593633316235"],"threshold":0.9},"signature_version":"v1","id":"CVE-2020-5235-0abdd2bb","signature_type":"Line","deprecated":false,"target":{"file":"pb_decode.c"},"source":"https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"},{"digest":{"function_hash":"228901543440384795897718486285849338511","length":2230},"signature_version":"v1","id":"CVE-2020-5235-311edd17","signature_type":"Function","deprecated":false,"target":{"file":"pb_decode.c","function":"decode_pointer_field"},"source":"https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"},{"digest":{"function_hash":"243854632971909049111477995652417044673","length":2700},"signature_version":"v1","id":"CVE-2020-5235-677be4d7","signature_type":"Function","deprecated":false,"target":{"file":"pb_decode.c","function":"decode_pointer_field"},"source":"https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"},{"digest":{"function_hash":"51163353477471131601889108384589894058","length":2620},"signature_version":"v1","id":"CVE-2020-5235-92c06ba9","signature_type":"Function","deprecated":false,"target":{"file":"pb_decode.c","function":"decode_pointer_field"},"source":"https://github.com/nanopb/nanopb/commit/accfbbbd6840dd796efe835a0bf4f89a0835c238"},{"digest":{"line_hashes":["165477520322638297651095831014103691890","110063504908703080620243362214468348999","322178983387047726090044168406985402334","227065484611923932531602001446345241513","231698434224719956075280466262717063938","54773041683124643386717824113635098148","164282937809346907653434918213913547083"],"threshold":0.9},"signature_version":"v1","id":"CVE-2020-5235-c3626fcc","signature_type":"Line","deprecated":false,"target":{"file":"pb_decode.c"},"source":"https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3"},{"digest":{"line_hashes":["140501944511697788913147936514983928461","36011667060077717794993412362000842087","220346423082981201819645974796037069439","287159839779562948190501274889884835927","117717705754731843475203082739271595433","216442497325668713690188347272576550889","148659607506413678697427110413022742351"],"threshold":0.9},"signature_version":"v1","id":"CVE-2020-5235-d73d6325","signature_type":"Line","deprecated":false,"target":{"file":"pb_decode.c"},"source":"https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856"},{"digest":{"function_hash":"120855412272600406950953084377941096669","length":2605},"signature_version":"v1","id":"CVE-2020-5235-e62333c7","signature_type":"Function","deprecated":false,"target":{"file":"pb_decode.c","function":"decode_pointer_field"},"source":"https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2"},{"digest":{"line_hashes":["29869461179647861645657258091060443398","317694239944793773870924798507162710887","49883338759718210682233669510260105190","242294418415078276896985376322876712433","248310906136189448363926434074387488736","189740374876297406603777706333799033639","284442690694329733041268985325718674108","272626893910288436126163698675507604179","140010920080526551190981282851808777125","205917222463279468895442749076929447210","238709944891962448764753428586427220195","40882507757585628442126697972175740906","154718344813447301376129680377363645006","227126689996412852170158545407149072831","232856927769251022008376048706775725461","214916837446439956495702621056286272733","18748092267982132517460438577633511006","223673773813635383764777398979808598331"],"threshold":0.9},"signature_version":"v1","id":"CVE-2020-5235-e82b70d6","signature_type":"Line","deprecated":false,"target":{"file":"pb_decode.c"},"source":"https://github.com/nanopb/nanopb/commit/accfbbbd6840dd796efe835a0bf4f89a0835c238"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5235.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}