{"id":"CVE-2018-10237","details":"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.","aliases":["GHSA-mvr2-9pj6-7w5j"],"modified":"2026-04-10T04:03:55.421501Z","published":"2018-04-26T21:29:00.230Z","related":["CGA-6956-p4rg-3vgj"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d%40%3Cdev.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55%40%3Cissues.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84%40%3Cissues.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919%40%3Cissues.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1%40%3Ccommon-dev.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"http://www.securitytracker.com/id/1041707"},{"type":"WEB","url":"https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc%40%3Chdfs-dev.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084%40%3Cgitbox.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495%40%3Ccommon-dev.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E"},{"type":"ADVISORY","url":"https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2428"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2742"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2424"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2741"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3149"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2858"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2643"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220629-0008/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2423"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2425"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2598"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2740"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2743"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/google/guava","events":[{"introduced":"5a6bf80c7403d77df18adb41b5b15ea34d28186d"},{"fixed":"49fad5af840b2a28dd0dc24ecfd58b4baa8d67bc"},{"introduced":"0"},{"last_affected":"9df9a23de5323275f5614aa7e732a636029f9b70"},{"introduced":"0"},{"last_affected":"00efa0ca1b0ab665d1f3d6deacbb156cf797ebdf"},{"introduced":"0"},{"last_affected":"00efa0ca1b0ab665d1f3d6deacbb156cf797ebdf"},{"introduced":"0"},{"last_affected":"00efa0ca1b0ab665d1f3d6deacbb156cf797ebdf"},{"introduced":"0"},{"last_affected":"798803f026bb9517bcf4e0e9ab2d2e0345023182"},{"introduced":"0"},{"last_affected":"798803f026bb9517bcf4e0e9ab2d2e0345023182"},{"introduced":"0"},{"last_affected":"daa84b68f31898f67a51207e193ee2ddabb088bf"},{"introduced":"0"},{"last_affected":"7ce15119ae3b8ea71bdfd43bd6a0b96f851187d0"},{"introduced":"0"},{"last_affected":"2537d1ed4795f8fad737a7bf6d6f93fbdfa28e54"},{"introduced":"0"},{"last_affected":"7ce15119ae3b8ea71bdfd43bd6a0b96f851187d0"},{"introduced":"0"},{"last_affected":"2537d1ed4795f8fad737a7bf6d6f93fbdfa28e54"},{"introduced":"0"},{"last_affected":"904234dc2f365314c636d29385780faf72db2477"}],"database_specific":{"versions":[{"introduced":"11.0"},{"fixed":"24.1.1"},{"introduced":"0"},{"last_affected":"13"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"18.0"},{"introduced":"0"},{"last_affected":"18c"},{"introduced":"0"},{"last_affected":"19c"},{"introduced":"0"},{"last_affected":"15.0"},{"introduced":"0"},{"last_affected":"16.0"},{"introduced":"0"},{"last_affected":"15.0"},{"introduced":"0"},{"last_affected":"16.0"},{"introduced":"0"},{"last_affected":"17.0"}]}}],"versions":["jdk5-backport-branch-point","release","v13.0-final","v13.0-rc2","v15.0","v15.0-rc1","v16.0","v16.0-rc1","v17.0","v17.0-rc1","v17.0-rc2","v18.0","v18.0-rc1","v18.0-rc2","v19.0","v19.0-rc1","v19.0-rc2","v19.0-rc3","v2.0","v24.1","v4.0","v7.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.11"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1.0"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10237.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}