CVE-2024-43167

2024-08-1213:38:35

Debian Security Bug Tracker

security-tracker.debian.org

unbound

null pointer

segmentation fault

denial of service

CVSS3

2.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

AI Score

3.9

Confidence

High

EPSS

Percentile

16.3%

JSON

A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attempts to read from a NULL pointer, leading to a crash. This issue can result in a denial of service by causing the application to terminate unexpectedly.

OSVersionArchitecturePackageVersionFilename
Debian12allunbound<= 1.17.1-2+deb12u2unbound_1.17.1-2+deb12u2_all.deb
Debian11allunbound<= 1.13.1-1+deb11u2unbound_1.13.1-1+deb11u2_all.deb
Debian999allunbound<= 1.20.0-1unbound_1.20.0-1_all.deb
Debian13allunbound<= 1.20.0-1unbound_1.20.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	unbound	<= 1.17.1-2+deb12u2	unbound_1.17.1-2+deb12u2_all.deb
Debian	11	all	unbound	<= 1.13.1-1+deb11u2	unbound_1.13.1-1+deb11u2_all.deb
Debian	999	all	unbound	<= 1.20.0-1	unbound_1.20.0-1_all.deb
Debian	13	all	unbound	<= 1.20.0-1	unbound_1.20.0-1_all.deb