{"id":"CVE-2024-55884","details":"In the Mullvad VPN client 2024.6 (Desktop), 2024.8 (iOS), and 2024.8-beta1 (Android), the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable() in exception_logging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial.","modified":"2026-04-09T10:33:19.175096Z","published":"2024-12-12T02:08:23.127Z","references":[{"type":"WEB","url":"https://news.ycombinator.com/item?id=42390768"},{"type":"WEB","url":"https://x41-dsec.de/news/2024/12/11/mullvad/"},{"type":"FIX","url":"https://github.com/mullvad/mullvadvpn-app/commit/ef6c862071b26023802b00d6e1dc6ca53d1ab3e6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mullvad/mullvadvpn-app","events":[{"introduced":"0"},{"fixed":"ef6c862071b26023802b00d6e1dc6ca53d1ab3e6"}]}],"versions":["2017.1-alpha4","2017.1-alpha5","2017.1-beta1","2017.1-beta2","2017.1-beta3","2017.1-beta4","2018.1-beta8","2018.1-beta9","2018.2-beta1","2018.2-beta2","2018.2-beta3","2018.3","2018.3-beta1","2018.4-beta1","2018.4-beta2","2018.6-beta1","2019.10-beta1","2019.10-beta2","2019.2-beta1","2019.7","2019.7-beta1","2019.8","2019.8-beta1","2019.9","2019.9-beta1","2020.4-beta1","2020.4-beta2","2020.5-beta1","2020.5-beta2","2024.6-beta1","2024.6-beta2","android/fix-devmole-google-play","ios/2020.1","ios/2020.2","ios/2020.3","ios/2020.4","ios/2020.5","ios/2021.1","ios/2021.2","ios/2021.3","ios/2021.4","ios/2022.1","ios/2022.2","ios/2022.3","ios/2022.3-build1","ios/2022.3-build2","ios/2023.1","ios/2023.1-build5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-55884.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}