Description
An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/torvalds/linux/commit/b102f0c522cf668c8382c56a4f771b37d011cda2
Patch, Vendor Advisory x_refsource_misc
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b102f0c522cf668c8382c56a4f771b37d011cda2
Release Notes, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200608-0001/
Scores
CVSS v3
6.7
EPSS
0.0017
EPSS Percentile
37.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-120
Status
published
Products (16)
linux/linux_kernel
4.16 - 4.19.111
netapp/active_iq_unified_manager
netapp/aff_baseboard_management_controller
a700s
netapp/cloud_backup
netapp/hci_baseboard_management_controller
h300s
netapp/hci_baseboard_management_controller
h410c
netapp/hci_baseboard_management_controller
h410s
netapp/hci_baseboard_management_controller
h500s
netapp/hci_baseboard_management_controller
h610c
netapp/hci_baseboard_management_controller
h610s
... and 6 more
Published
Apr 29, 2020
Tracked Since
Feb 18, 2026