CVE-2025-32366

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-32366
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response.

4.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://lapis-sawfish-be3.notion.site/0-day-Comman-memory-Leak-190dc00d01d080688472d322c93c4340
https://web.archive.org/web/20250410130356/https://lapis-sawfish-be3.notion.site/0-day-Comman-memory-Leak-190dc00d01d080688472d322c93c4340
https://web.git.kernel.org/pub/scm/network/connman/connman.git/tree/src/dnsproxy.c?h=1.44#n1001
https://web.git.kernel.org/pub/scm/network/connman/connman.git/tree/src/dnsproxy.c?h=1.44#n988
Configurations

No configuration.

History

11 Apr 2025, 18:15

Type Values Removed Values Added
References
  • () https://web.archive.org/web/20250410130356/https://lapis-sawfish-be3.notion.site/0-day-Comman-memory-Leak-190dc00d01d080688472d322c93c4340 -

10 Apr 2025, 22:15

Type Values Removed Values Added
Summary (en) In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen). Here, rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response. (en) In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response.

10 Apr 2025, 14:15

Type Values Removed Values Added
Summary (en) In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen). (en) In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen). Here, rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response.
References
  • () https://lapis-sawfish-be3.notion.site/0-day-Comman-memory-Leak-190dc00d01d080688472d322c93c4340 -
CVSS v2 : unknown
v3 : 3.7 		v2 : unknown
v3 : 4.8

07 Apr 2025, 14:17

Type Values Removed Values Added
Summary
  • (es) En ConnMan hasta 1.44, parse_rr en dnsproxy.c tiene una longitud de memcpy que depende de un valor RR RDLENGTH, es decir, *rdlen=ntohs(rr->rdlen) y memcpy(response+offset,*end,*rdlen).

06 Apr 2025, 00:15

Type Values Removed Values Added
CWE CWE-130
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 3.7

05 Apr 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-05 23:15

Updated : 2025-04-11 18:15

NVD link : CVE-2025-32366

Mitre link : CVE-2025-32366

CVE.ORG link : CVE-2025-32366

JSON object : View

Products Affected

No product.

CWE
CWE-130

Improper Handling of Length Parameter Inconsistency