PT-2022-5137 · D-Bus+10 · D-Bus+10

Evgeny Vereshchagin

·

Published

2022-10-05

·

Updated

2025-01-28

·

CVE-2022-42011

CVSS v2.0

6.8

Medium

VectorAV:N/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions D-Bus versions 1.12.24 and earlier, 1.13.x, 1.14.x before 1.14.4, and 1.15.x before 1.15.2
Description An issue was discovered in D-Bus where an authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with an array length inconsistent with the size of the element type. This is related to a boundary error caused by an invalid array of fixed-length elements, where the array length is not a multiple of the element length. The exploitation of this issue can allow a remote attacker to cause a denial of service.
Recommendations For D-Bus versions 1.12.24 and earlier, update to version 1.12.24 or later. For D-Bus version 1.13.x, update to version 1.14.4 or later. For D-Bus versions 1.14.x before 1.14.4, update to version 1.14.4 or later. For D-Bus versions 1.15.x before 1.15.2, update to version 1.15.2 or later.

Exploit

Fix

Improper Validation of Array Index

Weakness Enumeration

CWE-129

Related Identifiers

ALSA-2023:0096
ALSA-2023:0335
ALT-PU-2022-3381
ALT-PU-2023-2028
ALT-PU-2024-3680
AZL-11092
BDU:2022-06394
CESA-2023_0096
CVE-2022-42011
DLA-3142-1
DSA-5250-1
MGASA-2022-0365
OESA-2022-2000
OESA-2022-2001
OESA-2022-2051
OPENSUSE-SU-2022_3805-1
OPENSUSE-SU-2022_3806-1
OPENSUSE-SU-2024:12448-1
RHSA-2022:8812
RHSA-2022:8977
RHSA-2023:0096
RHSA-2023:0335
RHSA-2023_0096
RHSA-2023_0335
RLSA-2023:0096
RLSA-2023:0335
ROSA-SA-2025-2603
SUSE-SU-2022:3804-1
SUSE-SU-2022:3805-1
SUSE-SU-2022:3806-1
SUSE-SU-2022:4295-1
USN-5704-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
D-Bus
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu