CVE-2019-20892

Name of the Vulnerable Software and Affected Versions net-snmp versions prior to 5.8.1.pre1

Description The issue is caused by a double free in the usm free usmStateReference function. This can be exploited by a remote attacker using specially crafted GetBulk requests, potentially leading to a denial of service. The problem affects net-snmp packages shipped to end users by multiple Linux distributions.

Recommendations For versions prior to 5.8.1.pre1, update to version 5.8.1.pre1 or later to resolve the issue. As a temporary workaround, consider restricting access to the usm free usmStateReference function in snmplib/snmpusm.c until a patch is available. Avoid using the GetBulk request in the affected API endpoint until the issue is resolved.