Bug 2365687 (CVE-2025-47711)

Summary: CVE-2025-47711 nbdkit: nbdkit-server: off-by-one error when processing block status may lead to a Denial of Service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2365690, 2365691, 2365692    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-12 17:10:18 UTC 
The nbdkit server had an off-by-one error when processing block status results from plugins on behalf of an NBD client. If a client requests block status for the maximum 32-bit length, and the plugin reports a larger length as a single extent, then nbdkit hits an assertion failure. A compliant client could use this to cause a denial-of-service attack against the server to prevent it from serving other clients.