Description
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240419-0002/
Scores
CVSS v3
7.8
EPSS
0.0025
EPSS Percentile
48.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-122
CWE-787
Status
published
Products (3)
freebsd/freebsd
12.3 (5 CPE variants)
freebsd/freebsd
13.0 (22 CPE variants)
freebsd/freebsd
12.0 - 12.3
Published
Feb 15, 2024
Tracked Since
Feb 18, 2026