Cryptopp CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Cryptopp CVE published 2017-01-30

CVE-2016-9939

CVE-2016-9939 affects Crypto++ (aka cryptopp and libcrypto++) 5.6.4 in its ASN.1 BER decoding path. When the decoder allocates memory from the ASN.1 length field and then discovers there are not enough content octets, it fails and zeroes the allocated block even if it is otherwise unused. For large allocations, that wipe introduces a noticeable delay, which can translate into a high-impact availability pr [truncated]

HIGH Cryptopp CVE published 2017-01-30

CVE-2016-7544

CVE-2016-7544 describes a memory-management flaw in Crypto++ 5.6.4. In the affected code path, the library uses Microsoft's stack-oriented _malloca and _freea helpers to align a table in memory. If that table is later reallocated, the code may free the wrong pointer, which can destabilize the process and is scored as a high-severity availability issue.