In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
The ULE extension handler tables (ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[]) are declared with 255 elements (valid indices 0–254). The htype index is determined from network-controlled data via the expression (ule_sndu_type & 0x00FF), which yields a range of 0–255. When htype takes the value 255, an out-of-bounds read occurs in the function pointer table. The value read in this way can then be invoked as a function pointer, opening a path to code execution. The fix introduces a check of the htype value against the table size before its use — SNDU packets with values outside the range are now rejected.
An attacker supplying properly crafted network data can trigger an out-of-bounds memory read and potentially execute arbitrary code in the kernel context, which may result in complete system compromise.
Apply patches available from the vendor according to references (commits published in the kernel.org/stable repository)
Linux kernel — versions indicated in vendor references (commits available in the stable repository at kernel.org)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux2.6.127.05.16 – 6.1.167 (bez)6.2 – 6.6.130 (bez)2.6.12.1 – 5.10.253 (bez)6.13 – 6.18.19 (bez)6.19 – 6.19.9 (bez)6.7 – 6.12.78 (bez)5.11 – 5.15.203 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...