{"id":"CVE-2019-19648","details":"In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.","modified":"2026-03-15T14:34:22.436329Z","published":"2019-12-09T01:15:10.357Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKNXSH5ERG6NELTXCYVJLUPJJJ2TNEBD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXM224OLGI6KAOROLDPPGGCZ2OQVQ6HH/"},{"type":"EVIDENCE","url":"https://github.com/VirusTotal/yara/issues/1178"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/virustotal/yara","events":[{"introduced":"0"},{"last_affected":"b9f925bb4e2b998bd6bb2f2e3cc2087c62fdd5b9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.11.0"}]}}],"versions":["v2.0.0","v2.1.0","v3.0.0","v3.1.0","v3.10.0","v3.10.0-rc1","v3.11.0","v3.2.0","v3.3.0","v3.4.0","v3.6.0","v3.7.0","v3.8.0","v3.8.1","v3.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19648.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}