InspIRCd Security Advisory 2021-01


InspIRCd before v3.10.0 contains a memory disclosure vulnerability. This vulnerability allows access to recently deallocated memory by any user able to connect to a server. It is believed that the most the most likely memory to be disclosed is information regarding messages sent to the calling user but other information can not currently be ruled out.

Thanks to @AndrioCelos for reporting this issue.

Affected Versions

This vulnerability is present in the following releases:

This vulnerability is fixed in version 3.10.0. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then you should apply either this patch for v3.8.0 or v3.8.1 or this patch for v3.9.0 followed by running /RELOADMODULE core_user as a server operator.