7.5

CVE-2022-27882

Exploit
slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer signedness error and resultant heap-based buffer overflow triggerable by a crafted IPv6 router advertisement. NOTE: privilege separation and pledge can prevent exploitation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenbsdOpenbsd Version6.9
OpenbsdOpenbsd Version7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.88% 0.767
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-681 Incorrect Conversion between Numeric Types

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

https://blog.quarkslab.com/heap-overflow-in-openbsds-slaacd-via-router-advertisement.html
Third Party Advisory
Exploit
https://security.netapp.com/advisory/ntap-20220506-0005/
Third Party Advisory
https://ftp.openbsd.org/pub/OpenBSD/patches/6.9/common/033_slaacd.patch.sig
Patch
Vendor Advisory
Release Notes
https://ftp.openbsd.org/pub/OpenBSD/patches/7.0/common/017_slaacd.patch.sig
Patch
Vendor Advisory
Release Notes