Description
The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size.
Published: 2026-06-09
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The cryptographic hash routine in Malwarebytes EDR 1.0.11 truncates input larger than 4 GB, causing an unsigned 32‑bit counter to wrap around. This bug allows an attacker to create two distinct strings that yield the same hash by appending a 4‑GB payload to a shorter string. If the hash is used for integrity or authentication checks, the collision can undermine those mechanisms, enabling forged content to appear authentic; this is inferred from the description.

Affected Systems

Malwarebytes EDR for Linux, version 1.0.11. No other vendors or products are currently listed as affected.

Risk and Exploitability

No public exploits are known, and the EPSS score is unavailable. The collision requires delivering a payload larger than 4 GB, which limits attacker access to contexts that allow arbitrarily large inputs; therefore, the actual risk depends on how the hash is applied. The CVSS score of 8.2 indicates high severity. Since the vulnerability is not listed in the CISA KEV catalog, no widespread exploitation has been observed. A likely attack vector is remote submission of a large payload to an application that consumes data unsecured, though this is inferred from the need for a >4 GB input.

Generated by OpenCVE AI on June 9, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Malwarebytes EDR to a version that removes the truncation bug.
  • Add supplemental integrity checks that either use a hash algorithm that processes data in bounded chunks or validate input size before hashing.
  • Monitor for unusual hashing activity or attempts to trigger hash collisions.

Generated by OpenCVE AI on June 9, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Hash Collision Due to 4GB Truncation in Malwarebytes EDR 1.0.11

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:25:28.255Z

Reserved: 2023-03-31T00:00:00.000Z

Link: CVE-2023-29146

cve-icon Vulnrichment

Updated: 2026-06-09T19:25:11.070Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:16:41.760

Modified: 2026-06-09T20:16:29.207

Link: CVE-2023-29146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:15:16Z

Weaknesses