CVE-2023-37187: 
Homebrew vulnerability analysis and mitigation

C-blosc2 before version 2.9.3 was discovered to contain a NULL pointer dereference vulnerability in the zfp/blosc2-zfp.c file, specifically in the zfp_acc_decompress function. The vulnerability was identified and disclosed on December 25, 2023, affecting all versions of the C-blosc2 software prior to version 2.9.3 (NVD, MITRE).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 base score of 7.5 (HIGH). The issue occurs in the zfp_acc_decompress function within the zfp/blosc2-zfp.c file, where the code fails to properly validate pointer existence before dereferencing. The vulnerability affects the core functionality of the C-blosc2 compression library (NVD).

The vulnerability has a high severity rating with a CVSS score of 7.5, indicating significant potential impact. When exploited, it can lead to application crashes and potential denial of service conditions due to the NULL pointer dereference. The vulnerability affects the availability of the system while not impacting confidentiality or integrity (NVD).

The vulnerability has been patched in C-blosc2 version 2.9.3. The fix involves adding proper NULL pointer checks before dereferencing in the affected function. Users are advised to upgrade to version 2.9.3 or later to address this security issue (GitHub Patch).