CVE-2019-11366

Name of the Vulnerable Software and Affected Versions atftp version 0.7.1

Description The issue is related to the thread list mutex mutex in the atftpd component of atftp. It does not properly lock the mutex before assigning the current thread data structure, leading to a potential denial of service attack due to a NULL pointer dereference. If thread data is NULL when assigned to current, and modified by another thread before a certain check in tftpd list.c, there is a crash when dereferencing current->next. This allows a remote attacker to cause a denial of service.

Recommendations For atftp version 0.7.1, consider applying a patch that properly locks the thread list mutex mutex before assigning the current thread data structure to prevent the NULL pointer dereference. As a temporary workaround, consider restricting access to the atftpd service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.