CVE-2019-9578
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-9578
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9578.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-9578
- Downstream
- Related
- Published
- 2019-03-05T23:29:02Z
- Modified
- 2025-10-15T11:16:29.556167Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In devs.c in Yubico libu2f-host before 1.1.8, the response to init is misparsed, leaking uninitialized stack memory back to the device.
- References
-
- https://developers.yubico.com/libu2f-host/Release_Notes.html
- https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5
- https://security.gentoo.org/glsa/202004-15
- https://blog.inhq.net/posts/yubico-libu2f-host-vuln-part2/
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMA4H6AZFYIR3LA5VKKEJZNCCIVMUCFQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S4YCFMSNMXZ7XC4U6WXPQA7JCXC6VOAJ/
Affected packages
Git / github.com/yubico/libu2f-host
Affected ranges
- Type
- GIT
- Repo
- https://github.com/yubico/libu2f-host
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
libu2f-host-0.*
libu2f-host-0.0
libu2f-host-0.0.1
libu2f-host-0.0.2
libu2f-host-0.0.3
libu2f-host-0.0.4
libu2f-host-1.*
libu2f-host-1.0.0
libu2f-host-1.1.0
libu2f-host-1.1.1
libu2f-host-1.1.2
libu2f-host-1.1.3
libu2f-host-1.1.4
libu2f-host-1.1.5
libu2f-host-1.1.6
libu2f-host-1.1.7
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2019-9578-240562e0",
"target": {
"file": "u2f-host/devs.c"
},
"source": "https://github.com/yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5",
"digest": {
"threshold": 0.9,
"line_hashes": [
"11567275744523841877518153416187518118",
"44370850034924077708171989660832381896",
"188303028343851327688763961351998290166",
"145078100563149133988154089729284353283",
"216224806556506021471973488479284945323",
"78543609262864008034404409691289906146",
"298195757489697171354479924323044485927",
"314185290226119270872259819350989570243",
"24939522874790354133884502489879271461",
"76490889385848227444144861291301719677",
"314261858854284419405726470030233727425",
"148922957106482978517489830381474987071",
"314370417866445732464821320395808641267",
"14486720878436553949349358003086576635"
]
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2019-9578-c6e7e14f",
"target": {
"function": "init_device",
"file": "u2f-host/devs.c"
},
"source": "https://github.com/yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5",
"digest": {
"function_hash": "147196423138426783156581629780352000219",
"length": 712.0
}
}
]