Summary
FlatBuffers MiniReflect can crash when processing certain verified FlatBuffer inputs containing NONE or unknown union states.
The issue affects the C++ MiniReflect path in:
include/flatbuffers/minireflect.h
A crafted FlatBuffer can pass generated verification successfully, but later cause MiniReflect traversal through APIs such as:
FlatBufferToString()
IterateFlatBuffer()
to perform unsafe union handling and crash the process.
Related patch:
https://github.com/google/flatbuffers/pull/9126
Google vulnerability report reference:
https://issuetracker.google.com/u/1/issues/520826260
Why this should be fixed
FlatBuffers applications commonly treat successful generated verification as the safety boundary before reading or inspecting untrusted FlatBuffer input. In this case, the generated verifier can accept the buffer, but MiniReflect can still crash while traversing it.
This makes the issue more serious than simply “invalid input crashes if not verified.” The failure occurs after the expected verification step.
The affected MiniReflect code path can be reached when applications use MiniReflect for inspection, logging, debugging, telemetry, conversion, or stringification of FlatBuffer data.
Threat model
An attacker who can supply a FlatBuffer to an application may be able to cause a reliable denial of service if the application:
- accepts untrusted FlatBuffer input;
- verifies the input with the generated verifier;
- then processes the verified input using MiniReflect APIs such as
FlatBufferToString() or IterateFlatBuffer().
In that scenario, the application may crash even though it followed the expected defensive pattern of verifying the buffer first.
Technical details
The issue is related to MiniReflect union traversal.
For NONE union entries, MiniReflect should not treat the union value as a concrete object or attempt to resolve a concrete union type reference. For unknown or future union discriminator values, MiniReflect should also avoid resolving and forwarding unchecked union value pointers.
The current behavior can lead to invalid MiniReflect type-reference handling or unsafe pointer forwarding while walking the buffer.
The patch in PR #9126 hardens this behavior by ensuring that MiniReflect does not resolve union value offsets until the union discriminator is known to represent a valid concrete union member.
Impact
Confirmed impact:
Reliable process crash / denial of service
Post-verification invalid memory access
ASan crash / release-build SIGSEGV
Not claimed:
RCE
arbitrary code execution
stock information disclosure
arbitrary write
Proposed fix
The proposed fix is available here:
https://github.com/google/flatbuffers/pull/9126
The patch hardens MiniReflect handling for:
NONE union entries
unknown/future union discriminator values
size-prefixed buffer variants
custom IterationVisitor callbacks
It also adds regression and fuzz coverage for the MiniReflect union traversal path.
Summary
FlatBuffers MiniReflect can crash when processing certain verified FlatBuffer inputs containing
NONEor unknown union states.The issue affects the C++ MiniReflect path in:
A crafted FlatBuffer can pass generated verification successfully, but later cause MiniReflect traversal through APIs such as:
to perform unsafe union handling and crash the process.
Related patch:
Google vulnerability report reference:
Why this should be fixed
FlatBuffers applications commonly treat successful generated verification as the safety boundary before reading or inspecting untrusted FlatBuffer input. In this case, the generated verifier can accept the buffer, but MiniReflect can still crash while traversing it.
This makes the issue more serious than simply “invalid input crashes if not verified.” The failure occurs after the expected verification step.
The affected MiniReflect code path can be reached when applications use MiniReflect for inspection, logging, debugging, telemetry, conversion, or stringification of FlatBuffer data.
Threat model
An attacker who can supply a FlatBuffer to an application may be able to cause a reliable denial of service if the application:
FlatBufferToString()orIterateFlatBuffer().In that scenario, the application may crash even though it followed the expected defensive pattern of verifying the buffer first.
Technical details
The issue is related to MiniReflect union traversal.
For
NONEunion entries, MiniReflect should not treat the union value as a concrete object or attempt to resolve a concrete union type reference. For unknown or future union discriminator values, MiniReflect should also avoid resolving and forwarding unchecked union value pointers.The current behavior can lead to invalid MiniReflect type-reference handling or unsafe pointer forwarding while walking the buffer.
The patch in PR #9126 hardens this behavior by ensuring that MiniReflect does not resolve union value offsets until the union discriminator is known to represent a valid concrete union member.
Impact
Confirmed impact:
Not claimed:
Proposed fix
The proposed fix is available here:
The patch hardens MiniReflect handling for:
It also adds regression and fuzz coverage for the MiniReflect union traversal path.