CVE-2023-26551

2023-04-1121:15:21

Google

osv.dev

cve-2023-26551

ntp

out-of-bounds write

mstolfp

libntp

security vulnerability

software

5.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

5.9 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

34.4%

JSON

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write in the cp<cpdec while loop. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.

CPENameOperatorVersion
ntpeq1:4.2.8p15+dfsg-2~1.2.1+dfsg1-7+hurd.1
ntpeq1:4.2.8p15+dfsg-2~1.2.1+dfsg1-8+hurd.1
ntpeq1:4.2.8p15+dfsg-1
ntpeq1:4.2.8p15+dfsg-2~1.2.2+dfsg1-2+hurd.1

Name	Operator	Version
ntp	eq	1:4.2.8p15+dfsg-2~1.2.1+dfsg1-7+hurd.1
ntp	eq	1:4.2.8p15+dfsg-2~1.2.1+dfsg1-8+hurd.1
ntp	eq	1:4.2.8p15+dfsg-1
ntp	eq	1:4.2.8p15+dfsg-2~1.2.2+dfsg1-2+hurd.1