Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Newlib Library Allocates Memory Without Checking for Failure
DEBIAN-CVE-2019-14877
Summary
The newlib library's memory allocation for big integers can fail, leading to a crash. This affects systems using affected versions of the library, potentially causing them to stop working. Update to newlib 3.3.0 or later to fix this issue.
What to do
- Update debian picolibc to version 1.4.3-1.
- Update debian newlib to version 3.3.0-1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:14 | debian | picolibc |
< 1.4.3-1 Fix: upgrade to 1.4.3-1
|
| Debian:11 | debian | newlib |
< 3.3.0-1 Fix: upgrade to 3.3.0-1
|
| Debian:12 | debian | newlib |
< 3.3.0-1 Fix: upgrade to 3.3.0-1
|
| Debian:13 | debian | newlib |
< 3.3.0-1 Fix: upgrade to 3.3.0-1
|
| Debian:14 | debian | newlib |
< 3.3.0-1 Fix: upgrade to 3.3.0-1
|
| Debian:11 | debian | picolibc |
< 1.4.3-1 Fix: upgrade to 1.4.3-1
|
| Debian:12 | debian | picolibc |
< 1.4.3-1 Fix: upgrade to 1.4.3-1
|
| Debian:13 | debian | picolibc |
< 1.4.3-1 Fix: upgrade to 1.4.3-1
|
Original title
In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if...
Original description
In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not. The access to _wds and _sign will trigger a null pointer dereference bug in case of a memory allocation failure.
osv CVSS3.1
6.5
- https://security-tracker.debian.org/tracker/CVE-2019-14877 Vendor Advisory
Published: 19 Mar 2020 · Updated: 19 Apr 2026 · First seen: 19 Apr 2026