{"id":"CVE-2023-38403","details":"iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.","modified":"2026-04-16T04:30:36.312947057Z","published":"2023-07-17T21:15:09.800Z","related":["ALSA-2023:4570","ALSA-2023:4571","SUSE-SU-2023:2987-1","SUSE-SU-2023:3887-1","openSUSE-SU-2024:13060-1"],"references":[{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M25Z5FHTO3XWMGP37JHJ7IIIHSGCLKEV/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230818-0016/"},{"type":"ADVISORY","url":"https://bugs.debian.org/1040830"},{"type":"ADVISORY","url":"https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BV6EBWWF4PEQKROEVXGYSTIT2MGBTLU7/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213984"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213985"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2023/Oct/24"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2023/Oct/26"},{"type":"ADVISORY","url":"https://cwe.mitre.org/data/definitions/130.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00025.html"},{"type":"REPORT","url":"https://github.com/esnet/iperf/issues/1542"},{"type":"FIX","url":"https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/esnet/iperf","events":[{"introduced":"0"},{"fixed":"a0be85934144bc04712a6695b14ea6e45c379e1d"},{"fixed":"0ef151550d96cc4460f98832df84b4a1e87c65e9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.14"}]}}],"versions":["2.0-RELEASE","2.0.1-RELEASE","2.0.2-RELEASE","2.0.3-RELEASE","2.0.4-RELEASE","3.0-ALPHA1","3.0-BETA1","3.0-BETA2","3.0-BETA3","3.0-BETA4","3.0-BETA5","3.0.1","3.0.4","3.1","3.10","3.10.1","3.11","3.12","3.13","3.1b1","3.1b2","3.1b3","3.2","3.2rc1","3.3","3.4","3.5","3.6","3.7","3.8","3.8.1","3.9","iperf-3.0a1","iperf3","trunk"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"src/iperf_api.c"},"id":"CVE-2023-38403-2f181cff","signature_version":"v1","signature_type":"Line","source":"https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9","digest":{"line_hashes":["31138989934835967853644463147944633206","300129804459515635418185354063148005800","211185849642239104369431138118764752128","120289198626001640135016292307456648609","103946030697011972946752526404262707110","74265392440462843323174286899530357374","317375933644696769020399486204161531528","286784827784628466018746909541478291355","44075911177452260091104907090409103549","252582931826044103934091042691051999819","260211622875497584537767243227104153086","334182649030972681018623345589886499362"],"threshold":0.9}},{"deprecated":false,"target":{"function":"JSON_read","file":"src/iperf_api.c"},"id":"CVE-2023-38403-b779251d","signature_version":"v1","signature_type":"Function","source":"https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9","digest":{"length":534,"function_hash":"4224136192845182230612297700002105072"}}],"vanir_signatures_modified":"2026-04-12T05:13:21Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"13.6.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38403.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}