PYSEC-2026-684
Memory leak in Nanopb
상세
### Impact Decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed.
### Patches Preliminary patch is [available on git](https://github.com/nanopb/nanopb/commit/edf6dcbffee4d614ac0c2c1b258ab95185bdb6e9) and problem will be patched in versions 0.3.9.7 and 0.4.4 once testing has been completed.
### Workarounds Following workarounds are available: * Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. * Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. * Use an arena allocator for nanopb, to make sure all memory can be released afterwards.
### References Bug report: https://github.com/nanopb/nanopb/issues/615
### For more information If you have any questions or comments about this advisory, comment on the bug report linked above.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2020-26243 [ADVISORY]
- https://github.com/nanopb/nanopb/issues/615 [WEB]
- https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c [WEB]
- https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt [WEB]
- https://pypi.org/project/nanopb [PACKAGE]
- https://github.com/advisories/GHSA-85rr-4rh9-hhwh [ADVISORY]