CVE-2022-26496 — Out-of-bounds Write in Block Device Project Network Block Device

CWE-787 — Out-of-bounds Write6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 35.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wouter Verhelst NBD Network Block Device Project Network Block Device Debian NBD +2 more

Timeline

PublishedMar 6

Latest updateMar 14

Description

In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/nbd< nbd 1:3.24-1 (bookworm)

▶NVDnetwork_block_device_project/network_block_device< 3.24

▶Debianwouter_verhelst/nbd< 1:3.21-1+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, Fedora 34, 35, 36

🔴Vulnerability Details

GHSA

GHSA-mxm3-g2j6-276p: In nbd-server in nbd before 3↗2022-03-07

▶

OSV

CVE-2022-26496: In nbd-server in nbd before 3↗2022-03-06

▶

📋Vendor Advisories

Ubuntu

NBD vulnerabilities↗2022-03-14

▶

Debian

CVE-2022-26496: nbd - In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An att...↗2022

▶