CVE-2024-31852 (Medium) detected in llvm-projectllvmorg-15.0.7

[mend-bolt-for-github[bot]]

CVE-2024-31852 - Medium Severity Vulnerability

Vulnerable Library - llvm-projectllvmorg-15.0.7

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.

Library home page: https://github.com/llvm/llvm-project.git

Found in base branch: stable/3.2

Vulnerable Source Files (1)

/contrib/llvm-project/llvm/lib/Target/ARM/ARMFrameLowering.cpp

Vulnerability Details

LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production."

Publish Date: 2024-04-05

URL: CVE-2024-31852

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31852

Release Date: 2024-04-05

Fix Resolution: 0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2

---

Step up your Open Source Security Game with Mend here