CVE-2024-44083
Published: 19 August 2024
Summary
CVE-2024-44083 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Hex-Rays Ida Pro. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-44083 is a denial-of-service vulnerability in ida64.dll within Hex-Rays IDA Pro versions through 8.4. It is triggered when the analyzed binary contains a section with a large number of linked jumps that terminate at a payload jump used to reach the actual entry point, causing the component to crash. The issue is tracked under CWE-770 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact with no confidentiality or integrity consequences; the vendor note indicates that in many analysis workflows the behavior constitutes an inconvenience rather than a security problem.
An unauthenticated remote attacker can exploit the flaw by supplying a specially crafted executable or binary file that an analyst loads into IDA Pro. Successful triggering forces the ida64.dll process to terminate, interrupting the reverse-engineering session without granting code execution or data access.
Public references consist of two GitHub repositories that demonstrate the crash condition and related tooling; no vendor advisory or patch information is included in the available references. The associated EPSS score reached a peak of 0.1171 before receding to its current value of 0.0878, indicating modest post-disclosure interest that has since declined.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40853
Vulnerability details
ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases,…
more
this is an inconvenience but not a security issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.