CVE-2023-29146 Overview
CVE-2023-29146 is an integer overflow vulnerability [CWE-190] in the utility functions used by Malwarebytes Endpoint Detection and Response (EDR) 1.0.11 on Linux. The hashing routines truncate input data that exceeds 4GB in size. This truncation occurs because a length value wraps around the maximum unsigned 32-bit integer. An attacker with high local privileges can craft two different inputs that produce the same cryptographic hash by appending 4GB of data to a shorter input.
Critical Impact
Hash collisions in an EDR product can undermine integrity checks, allowing attackers to substitute malicious content while preserving expected hash values.
Affected Products
- Malwarebytes EDR 1.0.11 on Linux
Discovery Timeline
- 2026-06-09 - CVE-2023-29146 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2023-29146
Vulnerability Analysis
The defect resides in the utility functions Malwarebytes EDR uses to compute cryptographic hashes of byte buffers on Linux. When the input length exceeds 4GB, the code uses a 32-bit unsigned counter that wraps around. The hashing routine then processes only the truncated remainder rather than the entire input. This breaks the collision resistance guarantee expected from the underlying cryptographic primitive. Two semantically different inputs can produce identical digests when one is padded with 4GB of arbitrary data.
Hash collisions in an EDR context affect integrity verification, allowlisting decisions, and detection logic that rely on file or buffer hashes as unique identifiers. Attackers who can place crafted files on the host can mask malicious content under a known-good hash.
Root Cause
The root cause is improper handling of a length variable that is stored or processed as a 32-bit unsigned integer. Inputs larger than 0xFFFFFFFF bytes overflow the counter. The hashing loop then operates on the wrapped, smaller length, silently truncating the data fed into the digest function.
Attack Vector
Exploitation requires local access with high privileges on the affected Linux host. An attacker stages a file or buffer larger than 4GB whose first portion matches a target benign input, then appends 4GB of attacker-controlled bytes. The EDR utility hashes both inputs to the same digest. The CVSS vector indicates a scope change, reflecting the impact on components that consume the EDR's hash output for trust decisions.
No public proof-of-concept exploit is referenced in the advisory, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2023-29146
Indicators of Compromise
- Files larger than 4GB written to paths processed by Malwarebytes EDR scanning utilities
- Unexpected duplicate hash values appearing across files with different content or sizes
- Local privileged processes generating large padded files near the 4GB boundary
Detection Strategies
- Monitor Malwarebytes EDR logs for hashing operations on files exceeding 4GB and correlate with subsequent integrity decisions
- Cross-check critical file integrity using an independent hashing tool that handles 64-bit lengths correctly
- Alert on creation of unusually large files in directories scanned by the EDR agent
Monitoring Recommendations
- Audit local privileged account activity on Linux endpoints running Malwarebytes EDR 1.0.11
- Track filesystem events for files exceeding 4294967295 bytes using auditd or eBPF-based sensors
- Compare hash values computed by the EDR against a reference SHA-256 implementation on a sample basis
How to Mitigate CVE-2023-29146
Immediate Actions Required
- Upgrade Malwarebytes EDR for Linux to a version later than 1.0.11 that addresses the integer wrap-around in the hashing utility
- Restrict local privileged access on hosts running the affected EDR agent to limit who can stage large crafted files
- Validate any allowlist or integrity decisions that depend on hashes produced by the affected EDR version
Patch Information
Refer to the vendor advisory at Malwarebytes CVE-2023-29146 Details for fixed version information and update guidance specific to Linux deployments.
Workarounds
- Enforce filesystem quotas or size limits that prevent untrusted users from writing files larger than 4GB on managed Linux hosts
- Supplement EDR hash-based integrity checks with an independent verification tool that uses 64-bit length handling
- Reduce the number of accounts holding the high privileges required to exploit this issue
# Example: restrict per-user file size with ulimit (4GB hard cap)
# Place in /etc/security/limits.d/edr-mitigation.conf
* hard fsize 4194304
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

