Bug 2489117 (CVE-2026-54877) - CVE-2026-54877 ofono: ofono: double-free vulnerability in cbs_assembly_expire()
Summary: CVE-2026-54877 ofono: ofono: double-free vulnerability in cbs_assembly_expire()
Keywords:
Status: NEW
Alias: CVE-2026-54877
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2489118
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-16 09:49 UTC by OSIDB Bzimport
Modified: 2026-06-16 10:29 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-16 09:49:43 UTC
A double-free vulnerability was found in oFono's CBS (Cell Broadcast Service) assembly handling. The function cbs_assembly_expire() in src/smsutil.c contains a typo at line 4231: after calling g_slist_free_full(node->pages, g_free) which frees the entire linked list including all nodes and page data, it immediately calls g_free(node->pages) which attempts to free the already-freed list head pointer. The correct call should be g_free(node) to free the assembly node itself. This also results in a memory leak since the node is never freed.

An attacker with a rogue base station (using SDR hardware and open-source BTS software) can exploit this by broadcasting 3 specially crafted CBS PDUs over the air interface. CBS is a one-to-many messaging system with no authentication in GSM, meaning all devices within the cell's radio range (~100m to 2km) receive the broadcast. The attack exploits CBS mod-16 circular update numbering to create a partial assembly that gets expired when a different update completes, triggering the double-free in cbs_assembly_expire() and crashing ofonod with heap corruption. Since ofonod runs as root with no sandbox, this crash affects the entire telephony stack.

The vulnerability was tested on oFono version 2.19 on Ubuntu 25.04.


Note You need to log in before you can comment on or make changes to this bug.