CVE-2022-26496 — CRITICAL (9.8)

Q: How severe is CVE-2022-26496?

CVE-2022-26496 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-26496?

Check the references section above for vendor advisories and patch information. Affected products include: Network Block Device Project Network Block Device, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Network Block Device Project	Network Block Device	< 3.24
Debian	Debian Linux	10.0
Fedoraproject	Fedora	34

Related Weaknesses (CWE)

CWE-787

References

http://packetstormsecurity.com/files/172148/Shannon-Baseband-fmtp-SDP-Attribute-
https://lists.debian.org/nbd/2022/01/msg00036.htmlMailing ListThird Party Advisory
https://lists.debian.org/nbd/2022/01/msg00037.htmlExploitMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202402-10
https://sourceforge.net/projects/nbd/files/nbd/ProductRelease NotesThird Party Advisory
https://www.debian.org/security/2022/dsa-5100Third Party Advisory
http://packetstormsecurity.com/files/172148/Shannon-Baseband-fmtp-SDP-Attribute-
https://lists.debian.org/nbd/2022/01/msg00036.htmlMailing ListThird Party Advisory
https://lists.debian.org/nbd/2022/01/msg00037.htmlExploitMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2022-26496?

CVE-2022-26496 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO messa...

How severe is CVE-2022-26496?

CVE-2022-26496 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-26496?

Check the references section above for vendor advisories and patch information. Affected products include: Network Block Device Project Network Block Device, Debian Debian Linux, Fedoraproject Fedora.