HIGH 8.2

CVE-2023-29146: Integer Overflow in Malwarebytes EDR 1.0.11 Linux Hash Functions

Malwarebytes EDR 1.0.11 on Linux contains a flaw in how it calculates cryptographic hashes of data. When processing files or data larger than 4GB, the hashing function incorrectly truncates the input, causing the hash calculation to wrap around. This means an attacker with elevated privileges could craft two different data sets that produce the same hash value—a collision. Because hash matching is often used to verify file integrity or authenticate data, this vulnerability could allow an attacker to bypass security controls or forge trusted content.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an integer overflow in Malwarebytes EDR 1.0.11's hash utility functions on Linux. The hash calculation logic uses a 32-bit unsigned integer to track data length, which maxes out at 4GB (2^32 bytes). When data exceeds this threshold, the length counter wraps around to zero, causing the hash function to process only the portion of data up to the 4GB boundary. An attacker can exploit this by appending 4GB of arbitrary data to a target string; the resulting hash will collide with the hash of a shorter, different string that also occupies the same position in the hash space. This is a direct manifestation of CWE-190 (Integer Overflow or Wraparound).

Business impact

Hash collisions in security software have serious integrity implications. If Malwarebytes EDR relies on hashes to validate malware signatures, log integrity, or file quarantine metadata, a collision attack could allow malware or tampered files to be misidentified or trusted when they should be quarantined. An attacker with administrative or local system access could potentially bypass detection, forge audit records, or cause the EDR to accept malicious content as legitimate. The scope of impact extends beyond the EDR system itself, affecting the broader security posture of affected organizations.

Affected systems

This vulnerability affects Malwarebytes EDR version 1.0.11 on Linux systems. The flaw is specific to the utility functions used for cryptographic hashing on this platform and version. Administrators should verify their Malwarebytes EDR deployment version and operating system to determine exposure. Earlier or later versions may not be affected; version-specific patch documentation should be consulted.

Exploitability

Exploitation requires high privilege level (PR:H) on the local system, meaning the attacker must already have elevated access (root or equivalent). This significantly raises the barrier to exploitation, as it is not a remote, unauthenticated attack vector. However, once an attacker has root or administrative access, the attack is straightforward to execute and leaves no obvious alerting signature. The attack surface is limited to local privilege-context operations that involve hash validation.

Remediation

Organizations running Malwarebytes EDR 1.0.11 on Linux should apply the vendor's security patch as soon as it is available and tested in their environment. The patch will address the integer overflow by correctly handling data larger than 4GB, likely by using a 64-bit or arbitrary-precision integer for length tracking. After patching, conduct a brief audit of any security functions that relied on hash validation during the window of vulnerability exposure.

Patch guidance

Verify the latest Malwarebytes EDR patch version against the official Malwarebytes security advisory to confirm that the integer overflow in hash utility functions has been corrected. Deploy patches through Malwarebytes' standard update mechanism to all affected Linux systems. Test in a non-production environment first to ensure compatibility with your existing deployments, monitoring systems, and security policies. Prioritize systems that process or validate large data objects (>4GB) most frequently.

Detection guidance

Monitor for anomalous use of Malwarebytes EDR APIs or utilities that perform cryptographic hashing, particularly in contexts where data objects exceed 4GB. Look for process execution anomalies from high-privilege accounts attempting to manipulate hash validation routines. Audit logs should be reviewed for any discrepancies in file quarantine records or signature validation during the affected period. If available, enable verbose logging in Malwarebytes EDR to capture hash calculation details on large data transfers.

Why prioritize this

Although this vulnerability carries a CVSS score of 8.2 (HIGH severity) with significant impact potential (confidentiality, integrity, availability all marked high), the requirement for high privilege (PR:H) substantially limits immediate risk in most environments. However, organizations should not deprioritize this indefinitely. In environments where administrators or service accounts are frequently compromised, or where privilege escalation flaws exist, an attacker could chain this vulnerability to achieve hash collisions that bypass security controls. The core risk—ability to forge trusted hashes in security software—warrants timely patching during the next maintenance window.

Risk score, explained

The CVSS:3.1 score of 8.2 reflects high impact (C:H, I:H, A:H) across confidentiality, integrity, and availability, combined with low attack complexity (AC:L) and local attack vector (AV:L). However, the requirement for high privileges (PR:H) reduces the practical exploitability from critical to high. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component itself—in this case, any security decision based on hash validation. The score appropriately captures the severity of hash collision logic flaws while accounting for the elevated privilege requirement.

Frequently asked questions

Does this vulnerability allow remote attackers to exploit Malwarebytes EDR?

No. The vulnerability requires local system access and high privilege level (root or administrative equivalent). It is not remotely exploitable and requires an attacker to already have escalated access on the compromised system.

How can I tell if my Malwarebytes EDR deployment is affected?

Check the version number of your Malwarebytes EDR agent on all Linux systems. The vulnerability affects version 1.0.11 specifically. Verify against your current deployment inventory. Once a patch is released by Malwarebytes, the advisory will specify which versions are vulnerable and which versions contain the fix.

What is the practical impact of a hash collision in Malwarebytes EDR?

Hash collisions can undermine any security decision that relies on cryptographic hash matching, such as malware signature verification, file integrity validation, or log authentication. An attacker with high privilege could potentially forge hashes to make malicious files appear trusted or to alter audit trail records.

Are there workarounds if I cannot patch immediately?

The primary mitigation is to restrict high-privilege account access and monitor for suspicious use of EDR hash utility functions. However, there is no substitute for applying the vendor patch. Do not delay patching beyond your next maintenance window.

This analysis is provided for informational and educational purposes. The information herein reflects the vulnerability as described in the CVE record and public vendor advisories. No exploit code or weaponized proof-of-concept is provided. Organizations should verify all patch versions, timelines, and mitigation steps against official vendor documentation and security advisories before taking action. SEC.co does not provide legal or compliance advice; consult your organization's security and legal teams regarding remediation timelines and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).