Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-29146

CVE-2023-29146: Malwarebytes EDR Hash Collision Flaw

CVE-2023-29146 is a cryptographic hash collision flaw in Malwarebytes EDR 1.0.11 on Linux that allows attackers to create colliding hash values. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2023-29146 Overview

CVE-2023-29146 is an integer overflow vulnerability [CWE-190] in the utility functions used by Malwarebytes Endpoint Detection and Response (EDR) 1.0.11 on Linux. The hashing routines truncate input data that exceeds 4GB in size. This truncation occurs because a length value wraps around the maximum unsigned 32-bit integer. An attacker with high local privileges can craft two different inputs that produce the same cryptographic hash by appending 4GB of data to a shorter input.

Critical Impact

Hash collisions in an EDR product can undermine integrity checks, allowing attackers to substitute malicious content while preserving expected hash values.

Affected Products

  • Malwarebytes EDR 1.0.11 on Linux

Discovery Timeline

  • 2026-06-09 - CVE-2023-29146 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2023-29146

Vulnerability Analysis

The defect resides in the utility functions Malwarebytes EDR uses to compute cryptographic hashes of byte buffers on Linux. When the input length exceeds 4GB, the code uses a 32-bit unsigned counter that wraps around. The hashing routine then processes only the truncated remainder rather than the entire input. This breaks the collision resistance guarantee expected from the underlying cryptographic primitive. Two semantically different inputs can produce identical digests when one is padded with 4GB of arbitrary data.

Hash collisions in an EDR context affect integrity verification, allowlisting decisions, and detection logic that rely on file or buffer hashes as unique identifiers. Attackers who can place crafted files on the host can mask malicious content under a known-good hash.

Root Cause

The root cause is improper handling of a length variable that is stored or processed as a 32-bit unsigned integer. Inputs larger than 0xFFFFFFFF bytes overflow the counter. The hashing loop then operates on the wrapped, smaller length, silently truncating the data fed into the digest function.

Attack Vector

Exploitation requires local access with high privileges on the affected Linux host. An attacker stages a file or buffer larger than 4GB whose first portion matches a target benign input, then appends 4GB of attacker-controlled bytes. The EDR utility hashes both inputs to the same digest. The CVSS vector indicates a scope change, reflecting the impact on components that consume the EDR's hash output for trust decisions.

No public proof-of-concept exploit is referenced in the advisory, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2023-29146

Indicators of Compromise

  • Files larger than 4GB written to paths processed by Malwarebytes EDR scanning utilities
  • Unexpected duplicate hash values appearing across files with different content or sizes
  • Local privileged processes generating large padded files near the 4GB boundary

Detection Strategies

  • Monitor Malwarebytes EDR logs for hashing operations on files exceeding 4GB and correlate with subsequent integrity decisions
  • Cross-check critical file integrity using an independent hashing tool that handles 64-bit lengths correctly
  • Alert on creation of unusually large files in directories scanned by the EDR agent

Monitoring Recommendations

  • Audit local privileged account activity on Linux endpoints running Malwarebytes EDR 1.0.11
  • Track filesystem events for files exceeding 4294967295 bytes using auditd or eBPF-based sensors
  • Compare hash values computed by the EDR against a reference SHA-256 implementation on a sample basis

How to Mitigate CVE-2023-29146

Immediate Actions Required

  • Upgrade Malwarebytes EDR for Linux to a version later than 1.0.11 that addresses the integer wrap-around in the hashing utility
  • Restrict local privileged access on hosts running the affected EDR agent to limit who can stage large crafted files
  • Validate any allowlist or integrity decisions that depend on hashes produced by the affected EDR version

Patch Information

Refer to the vendor advisory at Malwarebytes CVE-2023-29146 Details for fixed version information and update guidance specific to Linux deployments.

Workarounds

  • Enforce filesystem quotas or size limits that prevent untrusted users from writing files larger than 4GB on managed Linux hosts
  • Supplement EDR hash-based integrity checks with an independent verification tool that uses 64-bit length handling
  • Reduce the number of accounts holding the high privileges required to exploit this issue
bash
# Example: restrict per-user file size with ulimit (4GB hard cap)
# Place in /etc/security/limits.d/edr-mitigation.conf
* hard fsize 4194304

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.