Bug 1934727 (CVE-2021-20286) - CVE-2021-20286 libnbd: Assertion failure in nbd_unlocked_opt_go in lib/opt.c
Summary: CVE-2021-20286 libnbd: Assertion failure in nbd_unlocked_opt_go in lib/opt.c
Status: NEW
Alias: CVE-2021-20286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1937890 1937891 1938143
Blocks: 1934728 1937913
TreeView+ depends on / blocked
Reported: 2021-03-03 18:14 UTC by Pedro Sampaio
Modified: 2023-07-07 08:28 UTC (History)
5 users (show)

Fixed In Version: libnbd 1.7.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libnbd. A malicious server may be able to kill a client application using libnbd due to an assertion failure in nbd_unlocked_opt_go() leading to denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-03-03 18:14:22 UTC
A flaw was found in libnbd. An assertion failure in in nbd_unlocked_opt_go in ilb/opt.c may lead to denial of service.

Comment 2 Mauro Matteo Cascella 2021-03-11 16:39:31 UTC
Upstream fix:

Comment 4 Richard W.M. Jones 2021-03-11 17:07:43 UTC
It's really all Eric's work, I just tested his patch.

Comment 5 Mauro Matteo Cascella 2021-03-11 17:10:04 UTC

Name: Eric Blake (Red Hat)

Comment 11 Mauro Matteo Cascella 2021-03-22 10:19:08 UTC

Red Hat Enterprise Linux 8 is not affected by this issue. The affected API was introduced in upstream `libnbd` version 1.4 which is only shipped in RHEL Advanced Virtualization 8.3.0 onward.

Note You need to log in before you can comment on or make changes to this bug.