CVE-2024-43167
published 2024-08-12CVE-2024-43167: DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected…
PriorityP48low2.8CVSS 3.1
AVLACLPRLUIRSUCNINAL
EPSS
0.36%
28.2th percentile
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attempts to read from a NULL pointer, leading to a crash. This issue can result in a denial of service by causing the application to terminate unexpectedly.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | unbound | < unbound 1.17.1-2+deb12u3 (bookworm) | unbound 1.17.1-2+deb12u3 (bookworm) |
| msrc | azl3_unbound_1.19.1-4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_unbound_1.19.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u3 | 1.13.1-1+deb11u3 |
| nlnetlabs | unbound | >= 0 < 1.17.1-2+deb12u3 | 1.17.1-2+deb12u3 |
| nlnetlabs | unbound | >= 0 < 1.21.1-1 | 1.21.1-1 |
| nlnetlabs | unbound | >= 0 < 1.21.1-1 | 1.21.1-1 |
| nlnetlabs | unbound | >= 0 < 1.9.4-2ubuntu1.8 | 1.9.4-2ubuntu1.8 |
| nlnetlabs | unbound | >= 0 < 1.13.1-1ubuntu5.7 | 1.13.1-1ubuntu5.7 |
| nlnetlabs | unbound | >= 0 < 1.19.2-1ubuntu3.2 | 1.19.2-1ubuntu3.2 |
| nlnetlabs | unbound | >= 0 < 1.4.22-1ubuntu4.14.04.3+esm1 | 1.4.22-1ubuntu4.14.04.3+esm1 |
| nlnetlabs | unbound | >= 0 < 1.5.8-1ubuntu1.1+esm1 | 1.5.8-1ubuntu1.1+esm1 |
| nlnetlabs | unbound | >= 0 < 1.6.7-1ubuntu2.6+esm2 | 1.6.7-1ubuntu2.6+esm2 |
CVSS provenance
nvdv3.12.8LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
osv2.8LOW
vendor_debian2.8LOW
vendor_msrc2.8LOW
vendor_redhat2.8LOW
vendor_ubuntu2.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2024-09-11·CVSS 2.8
CVE-2024-43167 [LOW] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
It was discovered that Unbound incorrectly handled string comparisons,
which could lead to a NULL pointer dereference. An attacker could
potentially use this issue to cause a denial of service. (CVE-2024-43167)
It was discovered that Unbound incorrectly handled memory in
cfg_mark_ports, which could lead to a heap buffer overflow. A local
attacker could potentially use this issue to cause a denial of service
or execute arbitrary code. (CVE-2024-43168)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Unbound: null pointer dereference in unbound
vendor_msrc·2024-08-13·CVSS 2.8
CVE-2024-43167 [LOW] CWE-476 Unbound: null pointer dereference in unbound
Unbound: null pointer dereference in unbound
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsof
Red Hat
unbound: NULL Pointer Dereference in Unbound
vendor_redhat·2024-08-07·CVSS 2.8
CVE-2024-43167 [LOW] CWE-476 unbound: NULL Pointer Dereference in Unbound
unbound: NULL Pointer Dereference in Unbound
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are ca
Debian
CVE-2024-43167: unbound - DISPUTE NOTE: this issue does not pose a security risk as it (according to analy...
vendor_debian·2024·CVSS 2.8
CVE-2024-43167 [LOW] CVE-2024-43167: unbound - DISPUTE NOTE: this issue does not pose a security risk as it (according to analy...
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attemp
OSV
unbound vulnerabilities
osv·2024-09-11·CVSS 2.8
CVE-2024-43167 [LOW] unbound vulnerabilities
unbound vulnerabilities
It was discovered that Unbound incorrectly handled string comparisons,
which could lead to a NULL pointer dereference. An attacker could
potentially use this issue to cause a denial of service. (CVE-2024-43167)
It was discovered that Unbound incorrectly handled memory in
cfg_mark_ports, which could lead to a heap buffer overflow. A local
attacker could potentially use this issue to cause a denial of service
or execute arbitrary code. (CVE-2024-43168)
OSV
CVE-2024-43167: DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the e
osv·2024-08-12·CVSS 2.8
CVE-2024-43167 [LOW] CVE-2024-43167: DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the e
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attemp
GHSA
GHSA-f34v-4q4f-pf5q: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound
ghsa_unreviewed·2024-08-12
CVE-2024-43167 [LOW] CWE-476 GHSA-f34v-4q4f-pf5q: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound
A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attempts to read from a NULL pointer, leading to a crash. This issue can result in a denial of service by causing the application to terminate unexpectedly.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://access.redhat.com/security/cve/CVE-2024-43167https://bugzilla.redhat.com/show_bug.cgi?id=2303456https://github.com/NLnetLabs/unbound/issues/1072https://github.com/NLnetLabs/unbound/pull/1073/fileshttp://www.openwall.com/lists/oss-security/2024/08/16/6https://lists.debian.org/debian-lts-announce/2024/09/msg00046.html
2024-08-12
Published