Vulnerability Description
An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is due to missing validation checks. There is a heap-based buffer over-read of one byte.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Genivi | Diagnostic Log And Trace | <= 2.18.8 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2024/06/msg00021.html
- https://sec-consult.com/vulnerability-lab/advisory/multiple-memory-corruption-vuExploitPatchThird Party Advisory
- https://seclists.org/fulldisclosure/2022/Sep/24ExploitMailing ListPatch
- https://lists.debian.org/debian-lts-announce/2024/06/msg00021.html
- https://sec-consult.com/vulnerability-lab/advisory/multiple-memory-corruption-vuExploitPatchThird Party Advisory
- https://seclists.org/fulldisclosure/2022/Sep/24ExploitMailing ListPatch
FAQ
What is CVE-2022-39836?
CVE-2022-39836 is a vulnerability with a CVSS score of 5.5 (MEDIUM). An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is d...
How severe is CVE-2022-39836?
CVE-2022-39836 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39836?
Check the references section above for vendor advisories and patch information. Affected products include: Genivi Diagnostic Log And Trace.