2284255 – (CVE-2024-36844) CVE-2024-36844 libmodbus: use after free

Bug 2284255 (CVE-2024-36844) - CVE-2024-36844 libmodbus: use after free

Summary: CVE-2024-36844 libmodbus: use after free

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2024-36844
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2284257 2284258
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-02 14:15 UTC by ybuenos
Modified:	2024-07-17 16:35 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-07-17 16:35:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description ybuenos 2024-06-02 14:15:06 UTC

libmodbus v3.1.6 was discovered to contain a use-after-free via the ctx->backend pointer. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted message sent to the unit-test-server.

https://github.com/stephane/libmodbus/issues/749

Comment 1 ybuenos 2024-06-02 14:15:54 UTC

Created libmodbus tracking bugs for this issue:

Affects: epel-all [bug 2284257]
Affects: fedora-all [bug 2284258]

Comment 2 Eric Sandeen 2024-07-17 16:35:17 UTC

This is yet another duplicate of CVE-2024-36843, see discussion in https://github.com/stephane/libmodbus/issues/750 and https://github.com/stephane/libmodbus/issues/749

The flaw is fixed in version 3.1.7 which is already present in all supported distributions, so closing NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.