CVE-2024-43168
published 2024-08-12CVE-2024-43168: DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected…
PriorityP423medium4.8CVSS 3.1
AVLACLPRLUIRSUCLILAL
EPSS
0.31%
22.8th percentile
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could result in a denial of service or unauthorized actions on the system.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | unbound | < unbound 1.17.1-2+deb12u3 (bookworm) | unbound 1.17.1-2+deb12u3 (bookworm) |
| msrc | azl3_unbound_1.19.1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_unbound_1.19.1-4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_unbound_1.19.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_unbound_1.19.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u3 | 1.13.1-1+deb11u3 |
| nlnetlabs | unbound | >= 0 < 1.17.1-2+deb12u3 | 1.17.1-2+deb12u3 |
| nlnetlabs | unbound | >= 0 < 1.20.0-1 | 1.20.0-1 |
| nlnetlabs | unbound | >= 0 < 1.20.0-1 | 1.20.0-1 |
| nlnetlabs | unbound | >= 0 < 1.9.4-2ubuntu1.8 | 1.9.4-2ubuntu1.8 |
| nlnetlabs | unbound | >= 0 < 1.13.1-1ubuntu5.7 | 1.13.1-1ubuntu5.7 |
| nlnetlabs | unbound | >= 0 < 1.19.2-1ubuntu3.2 | 1.19.2-1ubuntu3.2 |
| nlnetlabs | unbound | >= 0 < 1.4.22-1ubuntu4.14.04.3+esm1 | 1.4.22-1ubuntu4.14.04.3+esm1 |
| nlnetlabs | unbound | >= 0 < 1.5.8-1ubuntu1.1+esm1 | 1.5.8-1ubuntu1.1+esm1 |
| nlnetlabs | unbound | >= 0 < 1.6.7-1ubuntu2.6+esm2 | 1.6.7-1ubuntu2.6+esm2 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
osv4.8MEDIUM
vendor_debian4.8MEDIUM
vendor_msrc4.8MEDIUM
vendor_redhat4.8MEDIUM
vendor_ubuntu2.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
unbound vulnerabilities
osv·2024-09-11·CVSS 2.8
CVE-2024-43167 [LOW] unbound vulnerabilities
unbound vulnerabilities
It was discovered that Unbound incorrectly handled string comparisons,
which could lead to a NULL pointer dereference. An attacker could
potentially use this issue to cause a denial of service. (CVE-2024-43167)
It was discovered that Unbound incorrectly handled memory in
cfg_mark_ports, which could lead to a heap buffer overflow. A local
attacker could potentially use this issue to cause a denial of service
or execute arbitrary code. (CVE-2024-43168)
GHSA
GHSA-3jwc-8hp9-37fw: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file
ghsa_unreviewed·2024-08-12
CVE-2024-43168 [MEDIUM] CWE-122 GHSA-3jwc-8hp9-37fw: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file
A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could result in a denial of service or unauthorized actions on the system.
OSV
CVE-2024-43168: DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the e
osv·2024-08-12·CVSS 4.8
CVE-2024-43168 [MEDIUM] CVE-2024-43168: DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the e
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could r
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2024-09-11·CVSS 2.8
CVE-2024-43167 [LOW] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
It was discovered that Unbound incorrectly handled string comparisons,
which could lead to a NULL pointer dereference. An attacker could
potentially use this issue to cause a denial of service. (CVE-2024-43167)
It was discovered that Unbound incorrectly handled memory in
cfg_mark_ports, which could lead to a heap buffer overflow. A local
attacker could potentially use this issue to cause a denial of service
or execute arbitrary code. (CVE-2024-43168)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Unbound: heap-buffer-overflow in unbound
vendor_msrc·2024-08-13·CVSS 4.8
CVE-2024-43168 [MEDIUM] CWE-122 Unbound: heap-buffer-overflow in unbound
Unbound: heap-buffer-overflow in unbound
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.co
Red Hat
unbound: Heap-Buffer-Overflow in Unbound
vendor_redhat·2024-08-07·CVSS 4.8
CVE-2024-43168 [MEDIUM] CWE-122 unbound: Heap-Buffer-Overflow in Unbound
unbound: Heap-Buffer-Overflow in Unbound
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allow
Debian
CVE-2024-43168: unbound - DISPUTE NOTE: this issue does not pose a security risk as it (according to analy...
vendor_debian·2024·CVSS 4.8
CVE-2024-43168 [MEDIUM] CVE-2024-43168: unbound - DISPUTE NOTE: this issue does not pose a security risk as it (according to analy...
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could r
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-12
Published