First published: Sun Mar 06 2022(Updated: )
In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/nbd | 1:3.19-3+deb10u1 1:3.21-1+deb11u1 1:3.24-1.1 1:3.25-1 | |
Network Block Device Project Network Block Device | <3.24 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-26496 is a vulnerability in nbd-server in nbd before version 3.24, which allows an attacker to cause a stack-based buffer overflow.
CVE-2022-26496 occurs due to a buffer overflow in the parsing of the name field in nbd-server, triggered by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with a large value as the length of the name.
The severity of CVE-2022-26496 is critical, with a CVSS score of 9.8.
CVE-2022-26496 affects nbd versions before 3.24, as well as Debian Linux 10.0, Debian Linux 11.0, Fedora 34, Fedora 35, and Fedora 36.
To fix CVE-2022-26496, update nbd to version 3.24 or later, and apply any relevant security patches provided by the operating system.