In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: nodejs
Published: 2018-08-21T13:00:00Z
Updated: 2024-09-17T00:26:00.258Z
Reserved: 2018-02-15T00:00:00
Link: CVE-2018-7166
Vulnrichment
No data.
NVD
Status : Modified
Published: 2018-08-21T12:29:00.320
Modified: 2024-11-21T04:11:42.510
Link: CVE-2018-7166
Redhat