{"id":"CVE-2019-11924","details":"A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019.01.28.00 and above of fizz, until v2019.08.05.00.","modified":"2026-04-11T08:05:33.881770Z","published":"2019-08-20T20:15:11.290Z","references":[{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2019-11924"},{"type":"FIX","url":"https://github.com/facebookincubator/fizz/commit/3eaddb33619eaaf74a760872850c550ad8f5c52f"},{"type":"FIX","url":"https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322b7deaf994b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebookincubator/fizz","events":[{"introduced":"f23526f10acb1df58580bf67bad67444eb3b16cc"},{"last_affected":"b7cdd336a9b07ddcc646521a5c94df964dc3078c"},{"fixed":"3eaddb33619eaaf74a760872850c550ad8f5c52f"},{"fixed":"6bf67137ef1ee5cd70c842b014c322b7deaf994b"}],"database_specific":{"versions":[{"introduced":"2019.01.28.00"},{"last_affected":"2019.08.05.00"}]}}],"versions":["v2019.01.28.00","v2019.02.04.00","v2019.02.11.00","v2019.02.18.00","v2019.02.25.00","v2019.03.04.00","v2019.03.18.00","v2019.03.25.00","v2019.04.01.00","v2019.04.08.00","v2019.04.15.00","v2019.04.22.00","v2019.04.29.00","v2019.05.06.00","v2019.05.13.00","v2019.05.20.00","v2019.05.27.00","v2019.06.03.00","v2019.06.10.00","v2019.06.17.00","v2019.06.24.00","v2019.07.01.00","v2019.07.08.00","v2019.07.15.00","v2019.07.22.00","v2019.07.29.00","v2019.08.05.00"],"database_specific":{"vanir_signatures_modified":"2026-04-11T08:05:33Z","vanir_signatures":[{"target":{"file":"fizz/record/RecordLayer.cpp"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["23378063232812343510597121253053980188","337853026302685657175503940457782108744","171101015422274171732617162602322313710","79890458142866171684638284595330799795"]},"deprecated":false,"signature_type":"Line","id":"CVE-2019-11924-531567ac","source":"https://github.com/facebookincubator/fizz/commit/3eaddb33619eaaf74a760872850c550ad8f5c52f"},{"target":{"file":"fizz/record/EncryptedRecordLayer.cpp"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["151199489339986283029704048209539753837","35517397393718965047041959265537461280","73305149069419082673031163121807567056","299230504749009405587606604815449187191"]},"deprecated":false,"signature_type":"Line","id":"CVE-2019-11924-7c2b9f5e","source":"https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322b7deaf994b"},{"target":{"function":"ReadRecordLayer::readEvent","file":"fizz/record/RecordLayer.cpp"},"signature_version":"v1","digest":{"function_hash":"20185177363206806993423567665697563818","length":1319},"deprecated":false,"signature_type":"Function","id":"CVE-2019-11924-9024b023","source":"https://github.com/facebookincubator/fizz/commit/3eaddb33619eaaf74a760872850c550ad8f5c52f"},{"target":{"function":"EncryptedReadRecordLayer::read","file":"fizz/record/EncryptedRecordLayer.cpp"},"signature_version":"v1","digest":{"function_hash":"49798349820604613252873878731339836408","length":1101},"deprecated":false,"signature_type":"Function","id":"CVE-2019-11924-96f05d30","source":"https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322b7deaf994b"},{"target":{"file":"fizz/record/test/EncryptedRecordTest.cpp"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["189038259679934174011018336465141156290","210192097367134237374705695310999135650","61635371859289304071434880827358365662","225304188162875061993311240583984993124"]},"deprecated":false,"signature_type":"Line","id":"CVE-2019-11924-fc571ce2","source":"https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322b7deaf994b"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11924.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}