CVE-2022-26496
CRITICALnetwork_block_device < 3.24 - Stack-Based Buffer Overflow via Crafted NBD_OPT_INFO or NBD_OPT_GO Message
Title source: llmDescription
In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5100
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202402-10
Mailing List, Third Party Advisory
https://lists.debian.org/nbd/2022/01/msg00036.html
Exploit, Mailing List, Third Party Advisory
https://lists.debian.org/nbd/2022/01/msg00037.html
Product, Release Notes, Third Party Advisory
https://sourceforge.net/projects/nbd/files/nbd/
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/172148/Shannon-Baseband-fmtp-SDP-Attribute-Memory-Corruption.html
Scores
CVSS v3
9.8
EPSS
0.0042
EPSS Percentile
62.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (6)
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
34
fedoraproject/fedora
35
fedoraproject/fedora
36
network_block_device_project/network_block_device
< 3.24
Published
Mar 06, 2022
Tracked Since
Feb 18, 2026