CVE-2022-23086

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header.  Other heap content would be overwritten if the specified size was too small.

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation.  Note that the device node is only accessible to root and members of the operator group.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
freebsdCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
freebsdfreebsd
12.0 ≤
𝑥
< 12.3
freebsdfreebsd
12.3
freebsdfreebsd
12.3:p1
freebsdfreebsd
12.3:p2
freebsdfreebsd
12.3:p3
freebsdfreebsd
12.3:p4
freebsdfreebsd
13.0
freebsdfreebsd
13.0:beta1
freebsdfreebsd
13.0:beta2
freebsdfreebsd
13.0:beta3
freebsdfreebsd
13.0:beta3-p1
freebsdfreebsd
13.0:beta4
freebsdfreebsd
13.0:p1
freebsdfreebsd
13.0:p10
freebsdfreebsd
13.0:p2
freebsdfreebsd
13.0:p3
freebsdfreebsd
13.0:p4
freebsdfreebsd
13.0:p5
freebsdfreebsd
13.0:p6
freebsdfreebsd
13.0:p7
freebsdfreebsd
13.0:p8
freebsdfreebsd
13.0:p9
freebsdfreebsd
13.0:rc1
freebsdfreebsd
13.0:rc2
freebsdfreebsd
13.0:rc3
freebsdfreebsd
13.0:rc4
freebsdfreebsd
13.0:rc5
freebsdfreebsd
13.0:rc5-p1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc
https://security.netapp.com/advisory/ntap-20240419-0002/
https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc
https://security.netapp.com/advisory/ntap-20240419-0002/