{"id":"CVE-2019-11937","details":"In Mcrouter prior to v0.41.0, a large struct input provided to the Carbon protocol reader could result in stack exhaustion and denial of service.","modified":"2026-04-11T08:55:55.046612Z","published":"2019-12-04T16:15:11.730Z","references":[{"type":"ADVISORY","url":"https://github.com/facebook/mcrouter/releases/tag/v0.41.0-release"},{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2019-11937"},{"type":"FIX","url":"https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/mcrouter","events":[{"introduced":"0"},{"fixed":"9ffd13e9ab6c2c02bd1f95a7169c9a69b1b6bc54"},{"fixed":"97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.41.0"}]}}],"versions":["release-36-cve-fix","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.19.0","v0.20.0","v0.21.0","v0.22.0","v0.23.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.30.0","v0.31.0","v0.32.0","v0.33.0","v0.34.0","v0.35.0","v0.36.0","v0.37.0","v0.38.0","v0.39.0","v0.41.0","v0.9.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"mcrouter/lib/carbon/CarbonProtocolReader.cpp"},"id":"CVE-2019-11937-754e2a1b","source":"https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["65161515500616568558656657028519200949","211871914796959863846934910901354094903","167072776203480378383959684283413084932","287441299355480581747519674051041422660","5928327514337020991552201001823937487","194894419827936238695643242947369075622","321974394087091680584651102824025550378","211488159856352772860105901494483197795","187480002121884995759788625953718996382","200497279708899711979223314648232423331","324038733964501136469472308180816719353","171330923685853089644337207322548552352","82713770421532349676075287601689598486","3550457628982714179147233303082124235"]}},{"deprecated":false,"target":{"function":"CarbonProtocolReader::skip","file":"mcrouter/lib/carbon/CarbonProtocolReader.cpp"},"id":"CVE-2019-11937-8b21346f","source":"https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b","signature_version":"v1","signature_type":"Function","digest":{"length":967,"function_hash":"338708658738725844228037726447850122146"}},{"deprecated":false,"target":{"file":"mcrouter/lib/carbon/CarbonProtocolReader.h"},"id":"CVE-2019-11937-fb898708","source":"https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["194489831403648663238481715541015036153","299405957060261401258185212596721711662","333748399651933197211965056899606848901","120521487789386056350350313606559228989","104720807227338357736598230379988928171"]}}],"vanir_signatures_modified":"2026-04-11T08:55:55Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11937.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}