{"id":"CVE-2024-53984","summary":"Nanopb does not release memory on error return when using PB_DECODE_DELIMITED","details":"Nanopb is a small code-size Protocol Buffers implementation.  When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.","aliases":["GHSA-xwqq-qxmw-hj5r"],"modified":"2026-03-01T02:53:14.315817Z","published":"2024-12-02T15:54:47.478Z","related":["openSUSE-SU-2024:0400-1"],"database_specific":{"cwe_ids":["CWE-401","CWE-755"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53984.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53984.json"},{"type":"FIX","url":"https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378"},{"type":"ADVISORY","url":"https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53984"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nanopb/nanopb","events":[{"introduced":"c29ca83ff47a7224172a74ccfee07d91fa040e4c"},{"fixed":"cad3c18ef15a663e30e3e43e3a752b66378adec1"}]}],"versions":["0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.6.4","0.4.7","0.4.8","0.4.9","nanopb-0.4.0","nanopb-0.4.0-dev","nanopb-0.4.1","nanopb-0.4.2","nanopb-0.4.3","nanopb-0.4.4","nanopb-0.4.5","nanopb-0.4.6","nanopb-0.4.7","nanopb-0.4.8","nanopb-0.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53984.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}]}