The parse_string function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "binaries": [ { "binary_name": "iperf3", "binary_version": "3.0.11-1ubuntu0.1~esm1" }, { "binary_name": "libiperf-dev", "binary_version": "3.0.11-1ubuntu0.1~esm1" }, { "binary_name": "libiperf0", "binary_version": "3.0.11-1ubuntu0.1~esm1" } ] }