CVE-2022-26496

NameCVE-2022-26496
DescriptionIn nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5100-1
Debian Bugs1006915

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nbd (PTS)jessie, jessie (lts)1:3.8-4+deb8u3vulnerable
stretch (security), stretch (lts), stretch1:3.15.2-3+deb9u1fixed
buster (security), buster, buster (lts)1:3.19-3+deb10u1fixed
bullseye (security), bullseye1:3.21-1+deb11u1fixed
bookworm1:3.24-1.1fixed
sid, trixie1:3.26.1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nbdsourcejessie(unfixed)end-of-life
nbdsourcestretch(not affected)
nbdsourcebuster1:3.19-3+deb10u1DSA-5100-1
nbdsourcebullseye1:3.21-1+deb11u1DSA-5100-1
nbdsource(unstable)1:3.24-11006915

Notes

[stretch] - nbd <not-affected> (NBD_OPT_INFO/NBD_OPT_GO introduced later, in 3.16)
https://lists.debian.org/nbd/2022/01/msg00036.html
https://lists.debian.org/nbd/2022/01/msg00037.html

Search for package or bug name: Reporting problems