{"id":"CVE-2019-11938","details":"Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00.","modified":"2026-04-11T08:05:39.910835Z","published":"2020-03-10T21:15:11.653Z","related":["CGA-vh7c-4x76-pp3r"],"references":[{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2019-11938"},{"type":"FIX","url":"https://github.com/facebook/fbthrift/commit/08c2d412adb214c40bb03be7587057b25d053030"},{"type":"FIX","url":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/fbthrift","events":[{"introduced":"0"},{"fixed":"9b94248d1e93da42a29d01e980415c3d03444085"},{"fixed":"08c2d412adb214c40bb03be7587057b25d053030"},{"fixed":"71c97ffdcb61cccf1f8267774e873e21ebd3ebd3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2019.12.09.00"}]}}],"versions":["0.19.0","v0.20.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.30.0","v0.31.0","v2016.09.26.00","v2016.10.03.00","v2016.10.10.00","v2016.10.17.00","v2016.10.24.00","v2016.10.31.00","v2016.11.07.00","v2016.11.14.00","v2016.11.21.00","v2016.11.28.00","v2016.12.05.00","v2016.12.12.00","v2016.12.19.00","v2016.12.26.00","v2017.01.02.00","v2017.01.09.00","v2017.01.16.00","v2017.01.23.00","v2017.01.30.00","v2017.03.06.00","v2017.03.13.00","v2017.03.20.00","v2017.03.27.00","v2017.04.03.00","v2017.04.10.00","v2017.04.17.00","v2017.04.24.00","v2017.05.01.00","v2017.05.08.00","v2017.05.15.00","v2017.05.22.00","v2017.05.29.00","v2017.06.05.00","v2017.06.12.00","v2017.06.19.00","v2017.06.26.00","v2017.07.03.00","v2017.07.10.00","v2017.07.17.00","v2017.07.24.00","v2017.07.31.00","v2017.08.07.00","v2017.08.14.00","v2017.08.21.00","v2017.08.28.00","v2017.09.04.00","v2017.09.11.00","v2017.09.18.00","v2017.09.25.00","v2017.10.02.00","v2017.10.09.00","v2017.10.16.00","v2017.10.23.00","v2017.10.30.00","v2017.11.06.00","v2017.11.13.00","v2017.11.20.00","v2017.11.27.00","v2017.12.04.00","v2017.12.11.00","v2017.12.18.00","v2017.12.25.00","v2018.01.01.00","v2018.01.08.00","v2018.01.15.00","v2018.01.22.00","v2018.01.29.00","v2018.02.05.00","v2018.02.12.00","v2018.02.19.00","v2018.02.26.00","v2018.03.05.00","v2018.03.12.00","v2018.03.19.00","v2018.03.26.00","v2018.04.02.00","v2018.04.09.00","v2018.04.16.00","v2018.04.23.00","v2018.04.30.00","v2018.05.07.00","v2018.05.14.00","v2018.05.21.00","v2018.05.28.00","v2018.06.04.00","v2018.06.11.00","v2018.06.18.00","v2018.06.25.00","v2018.07.02.00","v2018.07.09.00","v2018.07.16.00","v2018.07.23.00","v2018.07.30.00","v2018.08.06.00","v2018.08.13.00","v2018.08.20.00","v2018.08.27.00","v2018.09.03.00","v2018.09.10.00","v2018.09.17.00","v2018.09.24.00","v2018.10.01.00","v2018.10.08.00","v2018.10.15.00","v2018.10.22.00","v2018.10.29.00","v2018.11.05.00","v2018.11.12.00","v2018.11.19.00","v2018.11.26.00","v2018.12.03.00","v2018.12.10.00","v2018.12.17.00","v2018.12.24.00","v2018.12.31.00","v2019.01.07.00","v2019.01.14.00","v2019.01.21.00","v2019.01.28.00","v2019.02.04.00","v2019.02.11.00","v2019.02.18.00","v2019.02.25.00","v2019.03.04.00","v2019.03.11.00","v2019.03.18.00","v2019.04.08.00","v2019.04.15.00","v2019.04.22.00","v2019.04.29.00","v2019.05.06.00","v2019.05.13.00","v2019.05.20.00","v2019.05.27.00","v2019.06.03.00","v2019.06.10.00","v2019.06.17.00","v2019.06.24.00","v2019.07.01.00","v2019.07.08.00","v2019.07.15.00","v2019.07.22.00","v2019.07.29.00","v2019.09.23.00","v2019.09.30.00","v2019.10.07.00","v2019.10.14.00","v2019.10.21.00","v2019.10.28.00","v2019.11.04.00","v2019.11.11.00","v2019.12.02.00","v2019.12.06.00"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["84920297183352773002926314146192619803","13709851565069441040386568628739475560","205487714107520586003728578299597049134","211266132347194378941379443836116438695","172334342582800917353174686872188429458","43662379426971501806423732278003014755","197933698915701752622036395360852887115","134489809660519374171471603864241407011","287171819073791202339799727404183772903","135118391464439814149773739482504420476","154697469811609482661621178149058519286","6718555576904852924119321255110591130"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-02530d7d","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/AsyncProcessor.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["71370382024167026448375113489015355388","28679137971303806335748603837255008654","122386665065737562089408307836839331109","155703683962912949159256407518608453116","150325850835209429028784063142058335300","204455473606270602673074416144493706739","31962169622821067755021233028444924988","18665661183082249854100297393609117657","150325850835209429028784063142058335300","204455473606270602673074416144493706739","254813110885488808113955641301075290638","13377981779667711992036191582704063857","150325850835209429028784063142058335300","204455473606270602673074416144493706739","31962169622821067755021233028444924988","18665661183082249854100297393609117657","150325850835209429028784063142058335300","204455473606270602673074416144493706739","254813110885488808113955641301075290638","301258761102636905165115127047660746617","81745649606018528601581942743336159498","51250529886491700171814997231139713286","106254410500504962722951633903215831803","172289554499364176023370052090949134437","60966902630711655694339818123396709099","166479722029848141238587891195265835184","314060325416943673143082617185985595189","143358749505352814707090204371464204328","210011027347231125863748771437367199301","304268847888108311689037316494687589793","154104528742629190248408119171067792591","300207405749964017325646656962085933396"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/08c2d412adb214c40bb03be7587057b25d053030","id":"CVE-2019-11938-09407411","deprecated":false,"target":{"file":"thrift/lib/java/src/test/java/com/facebook/thrift/TruncatedFrameTest.java"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["4797058923420540698116234816476806357","76395644358259750740201272025814613845","239052807167279158172163402400207872062","69260771834776043076744930068595590716"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-0a0642c5","deprecated":false,"target":{"file":"thrift/lib/cpp2/transport/rocket/server/RocketThriftRequests.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["312621092031594585876504781233203541324","9653377110021400060499936488527088786","37331546676119442092300575477242090659","120832727355955826551525444804133005852","162424226318814389782160507316809519090","296101425132206778173754842980808703380","275655038997711590059784829508357477036","259429626410034097751055596535902995071","189645240081339370185136688939188092217","187154224510338805148786444436056141892","243468300037495836173165275368819502245","309568566054870127622034284819651477838","185621502009912095055635349481058200507","18343634570126913998575287598592751178","329872889788972055831132275436212847881","124359236671242350060513117596875433177","216237100100504615009475916183020803588","176035184680074487560754654923648109665","91780231136160343290648672629631407192","284150434537808084756332637940547693560"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-13787d20","deprecated":false,"target":{"file":"thrift/lib/cpp2/transport/core/ThriftRequest.h"}},{"signature_version":"v1","digest":{"length":1041,"function_hash":"254603883362110266974146130544432820209"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-1a04d878","deprecated":false,"target":{"file":"thrift/lib/cpp2/GeneratedCodeHelper.cpp","function":"process_exn"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["13959774681404384511618308027999406123","145509648767746833291173144028059368906","2349916495542301558356213749512723868","67624328869798195192173233121265527577","13959774681404384511618308027999406123","145509648767746833291173144028059368906","2349916495542301558356213749512723868","67624328869798195192173233121265527577"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-2cdfdb65","deprecated":false,"target":{"file":"thrift/lib/cpp2/gen/service_tcc.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["287770351271366827592685402638756698818","165953349109647137688173375192503337466","27424619483886851929705468592458177908"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-2e1b9df2","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/SinkBridgeUtil.h"}},{"signature_version":"v1","digest":{"length":1006,"function_hash":"267445231412119194739283096377545772226"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-38e9c789","deprecated":false,"target":{"file":"thrift/lib/cpp2/GeneratedCodeHelper.h","function":"recv_wrapped"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["323973751675422377963269394753535514830","339158453663786909457687863571771243595"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-671c48e1","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TProtocol.java"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["291855479090736896051578482170572036723","321456415092403948313198974648087399383","265465557530010508128935108876519430515","162831620992740444419603465574486822875","20645087812503822728554857138555698833","227765574827280702654580745074590874095","285731291724014446531823277420790336138","307023746945158345294897677178939313869","95693728144585657453083471667602375531","62463819872719753017710564053010939341","2442900758412237064186394458723271584","266131046292516807645416591554116398527"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-68eb41f4","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/Sink.h"}},{"signature_version":"v1","digest":{"length":106,"function_hash":"31710071794858648350423479642739361833"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-6d802bc5","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TBinaryProtocol.java","function":"readMapBegin"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["255800207543024962827959215113861712821","338787650219427134711933609033950214969","85606407192963626086400125028896261471","132023616382596914309657674014048522877","177530884111485160624183301556373572813","160048284049615514659068306678737412969","161869562074545788107152246977851222442","143883916090803712938571271639461487633"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-7c75db3d","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/ClientSinkBridge.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["16113609262019050043842441067941240576","153130860960155205168823413700705361943","286524669223904038376210038859598535466","282526079504110426332227046225075337505"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-84b7b70d","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/StreamGenerator.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["114085937586889929170260506342507576125","331558074517638748098594858316425868981","71158288545554374680491447059712406240","30954779488706543078670786227095628184","89175113461685332919913219134503957624","209621962710644556489653004292673396084"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-86ce8488","deprecated":false,"target":{"file":"thrift/lib/java/src/test/java/com/facebook/thrift/StructTest.java"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["272063095090693741521310379701097302997","308914535908771026583979637167791551659","239518799659106643766215165283613795609","47655612446269566400048896142076723593","48594941981350625478810270925799165259","288594227796972146305357536526078115935","322158117704681333413386886625979176302","226877309845311064803306675183176437201","112899126101901320177198145671698860133","58626689373221361854655807345021602442","322158117704681333413386886625979176302","226877309845311064803306675183176437201","197190751562615598786246879129336072414","179621868687088621390861798705498952060","239518799659106643766215165283613795609","47655612446269566400048896142076723593"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-921639b7","deprecated":false,"target":{"file":"thrift/lib/cpp2/GeneratedCodeHelper.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["74771347127876036427401549784542042811","163311529738838366369460728159846812053","31788733233047613584259494268390062096","339099543116152471473616310579096008035","206032680257557893581977889436677355889","307296327200739690638246310920064302051","16168353838762762402301079820466983503","27622458853141881236488719668955867885","61770961079333234746409456475238341602","201697527828558247313011986395721296436","73221666786568765909919170324372656865"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-987be36c","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TCompactProtocol.java"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["320448058623919724247801944510210436592","37386879528606056633944567313886886901","131743811384158314375096530368137348433","71050918977743030441841852203333898350"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-a08447bc","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/AsyncProcessor.cpp"}},{"signature_version":"v1","digest":{"length":214,"function_hash":"236682009412876707954779998704034247958"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-a592ddf2","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TCompactProtocol.java","function":"readMapBegin"}},{"signature_version":"v1","digest":{"length":208,"function_hash":"54418176528300490391677020634203931265"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-ae5bd043","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TCompactProtocol.java","function":"readListBegin"}},{"signature_version":"v1","digest":{"length":920,"function_hash":"209188091344171829298747344170983729937"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-af2a2b37","deprecated":false,"target":{"file":"thrift/lib/cpp2/GeneratedCodeHelper.h","function":"recv_wrapped"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["118401084802480036942172776095775039386","98209273006794023046576825803468507776","205487714107520586003728578299597049134","281128543303248810201197201698101379862","121095072642985371149110919484574584588","175227870688940852177048206898561720751","283555461240557239029883184859671952426","158155088141746350564734813897486759794"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-afb283ea","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/ResponseChannel.h"}},{"signature_version":"v1","digest":{"length":91,"function_hash":"239612541776577694432704007750041224715"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-b2ac2119","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TBinaryProtocol.java","function":"readSetBegin"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["317108181889544276394917609878997716669","314938556549092262101300200478109042966"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-ba91c0a4","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TProtocolDecorator.java"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["181763975823380235187356364065482314787","264376248693680924749238223579927814475","14577454998792280494537730620849882691","174823650000446996090117832995655153348"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-ba9b0d4d","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/ServerSinkBridge.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["132156360187921140183364973121583132777","35436494623636297235696150606719979196","289257469768923274834465228697048152312","187992445896893488252699688043768278469","36383705849617581662406830235957324729","278168296182536343192294353669859092603","188467864769370639302611477525398193942","143016489911989585881014165186482610788","307813277572085754561592827891934123030","235564245046813757569341541316980270819","229368641750899793881732014469855820876","125631913607515860014992886861439588133","332067265575664658637325141793176559603","108587633537507210242609878158511307392"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-cca3324b","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TBinaryProtocol.java"}},{"signature_version":"v1","digest":{"length":91,"function_hash":"239612541776577694432704007750041224715"},"signature_type":"Function","source":"https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3","id":"CVE-2019-11938-e79f3183","deprecated":false,"target":{"file":"thrift/lib/java/src/main/java/com/facebook/thrift/protocol/TBinaryProtocol.java","function":"readListBegin"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["186651627838652226919982890457887654825","185973038535869866158064985009448960063","283489902100096486947091958574981811424","96550833460426241965015910822089493409"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-ef1d0591","deprecated":false,"target":{"file":"thrift/lib/cpp2/GeneratedCodeHelper.cpp"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["118902640489648051997904539640187995698","262246990788560381859205768104793618884","288652967000967756549321933481844445908","282526079504110426332227046225075337505"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-f173372e","deprecated":false,"target":{"file":"thrift/lib/cpp2/async/StreamGenerator-inl.h"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["25050409398330057943670015485709649910","211239993181166030004868474329888324378","93945187114177063284861644219235641115","34921664715939997263927643168477759103","118909663185914795845331518686970749233","260238019026539160818823721802729088231","105383514721310668779467883399235300355","196144506163924468216760195193322136874"]},"signature_type":"Line","source":"https://github.com/facebook/fbthrift/commit/9b94248d1e93da42a29d01e980415c3d03444085","id":"CVE-2019-11938-ff6ff477","deprecated":false,"target":{"file":"thrift/lib/cpp2/transport/rocket/server/RocketThriftRequests.cpp"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11938.json","vanir_signatures_modified":"2026-04-11T08:05:39Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}