CVE-2022-2928
published 2022-10-07CVE-2022-2928: In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the…
PriorityP427medium6.5CVSS 3.1
AVAACLPRNUINSUCNINAH
EPSS
0.66%
47.1th percentile
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | isc-dhcp | < isc-dhcp 4.4.3-2.1 (bookworm) | isc-dhcp 4.4.3-2.1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| isc | dhcp | — | — |
| isc | dhcp | 4.4.0 – 4.4.3 | — |
| isc | isc_dhcp | — | — |
| isc | isc_dhcp | — | — |
| msrc | azl3_dhcp_4.4.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_dhcp_4.4.3.p1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_dhcp_4.4.3-3_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_dhcp_4.4.2-3_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
isc-dhcp vulnerabilities
osv·2022-11-21·CVSS 6.5
CVE-2022-2928 [MEDIUM] isc-dhcp vulnerabilities
isc-dhcp vulnerabilities
USN-5658-1 fixed several vulnerabilities in DHCP. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that DHCP incorrectly handled option reference counting.
A remote attacker could possibly use this issue to cause DHCP servers to
crash, resulting in a denial of service. (CVE-2022-2928)
It was discovered that DHCP incorrectly handled certain memory operations.
A remote attacker could possibly use this issue to cause DHCP clients and
servers to consume resources, leading to a denial of service.
(CVE-2022-2929)
OSV
isc-dhcp vulnerabilities
osv·2022-11-07·CVSS 6.5
CVE-2022-2928 [MEDIUM] isc-dhcp vulnerabilities
isc-dhcp vulnerabilities
USN-5658-1 fixed vulnerabilities in DHCP. This update provides
the corresponding updates for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that DHCP incorrectly handled option reference counting.
A remote attacker could possibly use this issue to cause DHCP servers to
crash, resulting in a denial of service. (CVE-2022-2928)
It was discovered that DHCP incorrectly handled certain memory operations.
A remote attacker could possibly use this issue to cause DHCP clients and
servers to consume resources, leading to a denial of service.
(CVE-2022-2929)
OSV
CVE-2022-2928: In ISC DHCP 4
osv·2022-10-07·CVSS 6.5
CVE-2022-2928 [MEDIUM] CVE-2022-2928: In ISC DHCP 4
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
GHSA
GHSA-5fp7-mmwq-gvmw: In ISC DHCP 4
ghsa_unreviewed·2022-10-07
CVE-2022-2928 [HIGH] CWE-476 GHSA-5fp7-mmwq-gvmw: In ISC DHCP 4
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
OSV
isc-dhcp vulnerabilities
osv·2022-10-05·CVSS 6.5
CVE-2022-2928 [MEDIUM] isc-dhcp vulnerabilities
isc-dhcp vulnerabilities
It was discovered that DHCP incorrectly handled option reference counting.
A remote attacker could possibly use this issue to cause DHCP servers to
crash, resulting in a denial of service. (CVE-2022-2928)
It was discovered that DHCP incorrectly handled certain memory operations.
A remote attacker could possibly use this issue to cause DHCP clients and
servers to consume resources, leading to a denial of service.
(CVE-2022-2929)
Ubuntu
DHCP vulnerabilities
vendor_ubuntu·2022-11-21·CVSS 6.5
CVE-2022-2929 [MEDIUM] DHCP vulnerabilities
Title: DHCP vulnerabilities
Summary: Several security issues were fixed in DHCP.
USN-5658-1 fixed several vulnerabilities in DHCP. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that DHCP incorrectly handled option reference counting.
A remote attacker could possibly use this issue to cause DHCP servers to
crash, resulting in a denial of service. (CVE-2022-2928)
It was discovered that DHCP incorrectly handled certain memory operations.
A remote attacker could possibly use this issue to cause DHCP clients and
servers to consume resources, leading to a denial of service.
(CVE-2022-2929)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
DHCP vulnerabilities
vendor_ubuntu·2022-11-07·CVSS 6.5
CVE-2022-2928 [MEDIUM] DHCP vulnerabilities
Title: DHCP vulnerabilities
Summary: Several security issues were fixed in DHCP.
USN-5658-1 fixed vulnerabilities in DHCP. This update provides
the corresponding updates for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that DHCP incorrectly handled option reference counting.
A remote attacker could possibly use this issue to cause DHCP servers to
crash, resulting in a denial of service. (CVE-2022-2928)
It was discovered that DHCP incorrectly handled certain memory operations.
A remote attacker could possibly use this issue to cause DHCP clients and
servers to consume resources, leading to a denial of service.
(CVE-2022-2929)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
An option refcount overflow exists in dhcpd
vendor_msrc·2022-10-11·CVSS 6.5
CVE-2022-2928 [MEDIUM] CWE-476 An option refcount overflow exists in dhcpd
An option refcount overflow exists in dhcpd
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
isc: isc
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/e
Red Hat
dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort
vendor_redhat·2022-10-05·CVSS 6.5
CVE-2022-2928 [MEDIUM] CWE-190 dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort
dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there i
Ubuntu
DHCP vulnerabilities
vendor_ubuntu·2022-10-05·CVSS 6.5
CVE-2022-2929 [MEDIUM] DHCP vulnerabilities
Title: DHCP vulnerabilities
Summary: Several security issues were fixed in DHCP.
It was discovered that DHCP incorrectly handled option reference counting.
A remote attacker could possibly use this issue to cause DHCP servers to
crash, resulting in a denial of service. (CVE-2022-2928)
It was discovered that DHCP incorrectly handled certain memory operations.
A remote attacker could possibly use this issue to cause DHCP clients and
servers to consume resources, leading to a denial of service.
(CVE-2022-2929)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2022-2928: isc-dhcp - In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the func...
vendor_debian·2022·CVSS 6.5
CVE-2022-2928 [MEDIUM] CVE-2022-2928: isc-dhcp - In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the func...
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
Scope: local
bookworm: resolved (fixed in 4.4.3-2.1)
bullseye: resolved (fixed in 4.4.1-2.3+deb11u1)
sid: resolved (fixed in 4.4.3-2.1)
trixie: resolved (fixed in 4.4.3-2.1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://kb.isc.org/docs/cve-2022-2928https://lists.debian.org/debian-lts-announce/2022/10/msg00015.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/https://security.gentoo.org/glsa/202305-22https://kb.isc.org/docs/cve-2022-2928https://lists.debian.org/debian-lts-announce/2022/10/msg00015.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/https://security.gentoo.org/glsa/202305-22
2022-10-07
Published