CVE-2023-37185: 
Homebrew vulnerability analysis and mitigation

C-blosc2 before version 2.9.3 was discovered to contain a NULL pointer dereference vulnerability via the function zfp_prec_decompress in the file zfp/blosc2-zfp.c. The vulnerability was disclosed on December 25, 2023, and assigned identifier CVE-2023-37185. The affected software is the c-blosc2 compression library, with all versions prior to 2.9.3 being vulnerable (NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) issue. The security flaw exists in the zfp_prec_decompress function within the zfp/blosc2-zfp.c file. The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a denial of service condition when the affected function attempts to dereference a NULL pointer. This can cause the application to crash or become unresponsive, affecting the availability of systems using the c-blosc2 library (NVD).

The vulnerability has been patched in c-blosc2 version 2.9.3. Users are advised to upgrade to this version or later to address the security issue. The fix includes additional validation to check for NULL pointers before dereferencing them (GitHub Patch).