{"id":"CVE-2018-9860","details":"An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC comparison will subsequently fail and the connection will be closed. This could be used for denial of service. No information leak occurs.","modified":"2026-03-14T09:31:37.456553Z","published":"2018-04-12T05:29:00.220Z","related":["openSUSE-SU-2024:10594-1"],"references":[{"type":"ADVISORY","url":"https://botan.randombit.net/security.html"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7434"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/randombit/botan","events":[{"introduced":"c83872bb775916d88196fb2eca6971329711e2d3"},{"fixed":"d7d080992372cf4fbd569cce1d8cd6aa7599fa0d"}],"database_specific":{"versions":[{"introduced":"1.11.32"},{"fixed":"2.6.0"}]}}],"versions":["1.11.32","1.11.33","1.11.34","2.0.0","2.0.1","2.1.0","2.2.0","2.3.0","2.4.0","2.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9860.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}