CVE-2022-26495 Information

Description

In nbd-server in nbd before 3.24 there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO NBD_OPT_GO and NBD_OPT_EXPORT_NAME messages.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://sourceforge.net/projects/nbd/files/nbd/ https://lists.debian.org/nbd/2022/01/msg00037.html https://lists.debian.org/debian-lts-announce/2022/03/msg00014.html https://www.debian.org/security/2022/dsa-5100 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8