Cyber Resilience

CVE-2024-44083

HighPublic PoCDDoS

Published: 19 August 2024

Published
19 August 2024
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0878 92.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44083 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Hex-Rays Ida Pro. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-44083 is a denial-of-service vulnerability in ida64.dll within Hex-Rays IDA Pro versions through 8.4. It is triggered when the analyzed binary contains a section with a large number of linked jumps that terminate at a payload jump used to reach the actual entry point, causing the component to crash. The issue is tracked under CWE-770 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact with no confidentiality or integrity consequences; the vendor note indicates that in many analysis workflows the behavior constitutes an inconvenience rather than a security problem.

An unauthenticated remote attacker can exploit the flaw by supplying a specially crafted executable or binary file that an analyst loads into IDA Pro. Successful triggering forces the ida64.dll process to terminate, interrupting the reverse-engineering session without granting code execution or data access.

Public references consist of two GitHub repositories that demonstrate the crash condition and related tooling; no vendor advisory or patch information is included in the available references. The associated EPSS score reached a peak of 0.1171 before receding to its current value of 0.0878, indicating modest post-disclosure interest that has since declined.

EU & UK References

Vulnerability details

ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases,…

more

this is an inconvenience but not a security issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hex-rays
ida pro
≤ 8.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

addresses: CWE-770

Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.

References