First published: Tue Sep 05 2023(Updated: )
An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Lldpd Project Lldpd | <1.0.17 | |
debian/lldpd | <=1.0.3-1 | 1.0.3-1+deb10u2 1.0.11-1+deb11u2 1.0.16-1+deb12u1 1.0.17-1 |
redhat/lldpd | <1.0.17 | 1.0.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-41910 is a vulnerability in the lldpd software version 1.0.17 and below, where a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory.
CVE-2023-41910 has a severity rating of 9.8 (critical).
CVE-2023-41910 affects lldpd software versions 1.0.17 and below, allowing a malicious actor to remotely trigger an out-of-bounds read on heap memory by crafting a specific CDP PDU packet.
To fix CVE-2023-41910, it is recommended to update the lldpd software to version 1.0.17 or higher.
More information about CVE-2023-41910 can be found in the following references: [GitHub Commit](https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b), [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2023-41910), [lldpd Releases](https://github.com/lldpd/lldpd/releases/tag/1.0.17).