On Fri, Nov 14, 2025 at 1:44 AM Peter Gutmann <[email protected]> wrote: > > Jacob Bachmeyer <[email protected]> writes: > > >Ah yes, the universal arbitrary code execution exploit: simply replace the > >program text with malicious code. :-) > > > >Can we call it CVE-Zero? :-P > > The best one I've run into is enabling an undocumented internal build option > that turns on extra code for coverage/fuzz testing, then reporting it as a > vuln while ignoring the fact that the debug code also implements SSLKEYLOGFILE > which dumps the plaintext TLS master secret to the diagnostic output. > > Aside from the OpenSSH pseudovulnerability that started all this, anyone else > have any interesting stories?
Crypto++ earned a CVE for documentation: CVE-2016-7420, <https://seclists.org/oss-sec/2016/q3/520>. Folks outside the project ported the Crypto++ library to another build system, but did not use the same build flags that Crypto++ uses. Then an assert fired because the ported build was a debug build. Crypto++ caught a CVE for a DoS. The CVE folks told the Crypto++ library that the behavior should have been documented. Jeff
