CVE-2022-2928
MEDIUMISC DHCP 4.4.0-4.4.3 and 4.1-ESV-R1-4.1-ESV-R16-P1 - Denial of Service via Reference Counter Overflow
Title source: llmDescription
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-22
Vendor Advisory
https://kb.isc.org/docs/cve-2022-2928
Scores
CVSS v3
6.5
EPSS
0.0008
EPSS Percentile
22.5%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-476
Status
published
Products (6)
debian/debian_linux
10.0
fedoraproject/fedora
35
fedoraproject/fedora
36
fedoraproject/fedora
37
isc/dhcp
4.1-esv r1 (29 CPE variants)
isc/dhcp
4.4.0 - 4.4.3
Published
Oct 07, 2022
Tracked Since
Feb 18, 2026