In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBDOPTINFO, NBDOPTGO, and NBDOPTEXPORT_NAME messages.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/26xxx/CVE-2022-26495.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "3.24"
}
],
"source": "DESCRIPTION"
}
],
"cna_assigner": "mitre"
}{
"cpe": "cpe:2.3:a:network_block_device_project:network_block_device:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.24"
}
],
"source": "CPE_RANGE"
}