CVE-2022-23086

EUVD-2022-28191
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header.  Other heap content would be overwritten if the specified size was too small.

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation.  Note that the device node is only accessible to root and members of the operator group.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
freebsdfreebsd
12.0 ≤
𝑥
< 12.3
freebsdfreebsd
12.3
freebsdfreebsd
12.3:p1
freebsdfreebsd
12.3:p2
freebsdfreebsd
12.3:p3
freebsdfreebsd
12.3:p4
freebsdfreebsd
13.0
freebsdfreebsd
13.0:beta1
freebsdfreebsd
13.0:beta2
freebsdfreebsd
13.0:beta3
freebsdfreebsd
13.0:beta3-p1
freebsdfreebsd
13.0:beta4
freebsdfreebsd
13.0:p1
freebsdfreebsd
13.0:p10
freebsdfreebsd
13.0:p2
freebsdfreebsd
13.0:p3
freebsdfreebsd
13.0:p4
freebsdfreebsd
13.0:p5
freebsdfreebsd
13.0:p6
freebsdfreebsd
13.0:p7
freebsdfreebsd
13.0:p8
freebsdfreebsd
13.0:p9
freebsdfreebsd
13.0:rc1
freebsdfreebsd
13.0:rc2
freebsdfreebsd
13.0:rc3
freebsdfreebsd
13.0:rc4
freebsdfreebsd
13.0:rc5
freebsdfreebsd
13.0:rc5-p1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
freebsdfreebsd
13.1-rc1 ≤
𝑥
< 13.1_p1
ADP
freebsdfreebsd
13.0 ≤
𝑥
< 13.0_p11
ADP
freebsdfreebsd
12.3 ≤
𝑥
< 12.0_p5
ADP
Common Weakness Enumeration
References
https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc
https://security.netapp.com/advisory/ntap-20240419-0002/
https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc
https://security.netapp.com/advisory/ntap-20240419-0002/