{"id":"CVE-2018-8754","details":"The libevt_record_values_read_event() function in libevt_record_values.c in libevt before 2018-03-17 does not properly check for out-of-bounds values of user SID data size, strings size, or data size. NOTE: the vendor has disputed this as described in libyal/libevt issue 5 on GitHub","modified":"2026-04-11T08:05:26.536386Z","published":"2018-03-18T03:29:00.277Z","references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4160"},{"type":"FIX","url":"https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libyal/libevt","events":[{"introduced":"0"},{"fixed":"9d2cc3ca0a1612a6b271abcacffc2e3eea42925e"}]},{"type":"GIT","repo":"https://github.com/libyal/libevt","events":[{"introduced":"0"},{"fixed":"9d2cc3ca0a1612a6b271abcacffc2e3eea42925e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8754.json","vanir_signatures_modified":"2026-04-11T08:05:26Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925e","id":"CVE-2018-8754-3f986883","deprecated":false,"digest":{"length":13889,"function_hash":"328806791920141836097821925494888548548"},"target":{"file":"libevt/libevt_record_values.c","function":"libevt_record_values_read_event"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925e","id":"CVE-2018-8754-5dc3ebe1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["51112617817381470526898075985939226817","209814071484798656978334869769637931595","334780287653522716604515224877877007187","16164736215274873211489266935237958324"]},"target":{"file":"libevt/libevt_libfvalue.h"},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925e","id":"CVE-2018-8754-f73e86b8","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["92799791960137351700281435855772586932","145652949093903814047424564394699575725","274370936226901950082546298069264639947","323513851127216338183618064940517795907","228446764750223997884533712165541632311","242499523647841374905494021408114950863","192277143567889843270626008936986180065","55192203568652503674044929168672209345","6933495259059970773535786024409536809","12313788311176403137741611854858197723","255884067066237272731947449442511904746","55192203568652503674044929168672209345","124600398839188082735394436794280254776","108190048222500245008484958610157010837","84683154876325881690931977953289724673","277999817807632283775034675856228038617"]},"target":{"file":"libevt/libevt_record_values.c"},"signature_type":"Line"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"20180317"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"2018-03-17"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}