Null pointer dereference

2021-06-0412:15:00

PRIOn knowledge base

www.prio-n.com

0.001 Low

EPSS

Percentile

45.6%

JSON

In FreeBSD 12.2-STABLE before r367402, 11.4-STABLE before r368202, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 the handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free.

CPENameOperatorVersion
freebsdeq12.1
freebsdeq12.1 p2
freebsdeq12.1 p3
freebsdeq12.1 p4
freebsdeq11.4 beta1
freebsdeq11.4
freebsdeq12.1 p5
freebsdeq11.4 rc2
freebsdeq11.4 rc1
freebsdeq12.1 p6

Name	Operator	Version
freebsd	eq	12.1
freebsd	eq	12.1 p2
freebsd	eq	12.1 p3
freebsd	eq	12.1 p4
freebsd	eq	11.4 beta1
freebsd	eq	11.4
freebsd	eq	12.1 p5
freebsd	eq	11.4 rc2
freebsd	eq	11.4 rc1
freebsd	eq	12.1 p6