Fedora Account System
Red Hat Associate
Red Hat Customer
A double-free vulnerability was found in oFono's CBS (Cell Broadcast Service) assembly handling. The function cbs_assembly_expire() in src/smsutil.c contains a typo at line 4231: after calling g_slist_free_full(node->pages, g_free) which frees the entire linked list including all nodes and page data, it immediately calls g_free(node->pages) which attempts to free the already-freed list head pointer. The correct call should be g_free(node) to free the assembly node itself. This also results in a memory leak since the node is never freed. An attacker with a rogue base station (using SDR hardware and open-source BTS software) can exploit this by broadcasting 3 specially crafted CBS PDUs over the air interface. CBS is a one-to-many messaging system with no authentication in GSM, meaning all devices within the cell's radio range (~100m to 2km) receive the broadcast. The attack exploits CBS mod-16 circular update numbering to create a partial assembly that gets expired when a different update completes, triggering the double-free in cbs_assembly_expire() and crashing ofonod with heap corruption. Since ofonod runs as root with no sandbox, this crash affects the entire telephony stack. The vulnerability was tested on oFono version 2.19 on Ubuntu 25.04.