CVE-2022-39836 — Out-of-bounds Read in Dlt-daemon

CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 67.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Covesa Dlt-daemon Debian Dlt-daemon Genivi Diagnostic LOG AND Trace

Timeline

PublishedOct 25

Description

An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is due to missing validation checks. There is a heap-based buffer over-read of one byte.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Debiancovesa/dlt-daemon< 2.18.9-1+1

▶debiandebian/dlt-daemon< dlt-daemon 2.18.9-1 (forky)

▶NVDgenivi/diagnostic_log_and_trace2.18.8

Patches

Patch: sec-consult.com ↗Patch: seclists.org ↗Patch: sec-consult.com ↗

🔴Vulnerability Details

OSV

CVE-2022-39836: An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2↗2022-10-25

▶

GHSA

GHSA-8gjv-jwgc-cx6r: An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2↗2022-10-25

▶

📋Vendor Advisories

Debian

CVE-2022-39836: dlt-daemon - An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemo...↗2022

▶