CVE-2024-24786
Publication date 5 March 2024
Last updated 11 July 2025
Ubuntu priority
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-google-protobuf | 25.04 plucky |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Not in release | |
| google-guest-agent | 25.04 plucky |
Fixed 20240213.00-0ubuntu4
|
| 24.04 LTS noble |
Fixed 20240213.00-0ubuntu3.1
|
|
| 22.04 LTS jammy |
Fixed 20231004.02-0ubuntu1~22.04.4
|
|
| 20.04 LTS focal |
Fixed 20240213.00-0ubuntu4
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| google-osconfig-agent | 25.04 plucky |
Fixed 20240320.00-0ubuntu2
|
| 24.04 LTS noble |
Fixed 20240320.00-0ubuntu1~24.04.1
|
|
| 22.04 LTS jammy |
Fixed 20230504.00-0ubuntu1~22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
mdeslaur
This has been fixed in the (20240716.00-0ubuntu1~20.04.0) package for focal, but has not been copied over to the -security pocket yet.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6746-1
- Google Guest Agent and Google OS Config Agent vulnerability
- 23 April 2024
- USN-6746-2
- Google Guest Agent and Google OS Config Agent vulnerability
- 25 June 2024