Login Sign Up

CVE-2022-26496

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

CVE-2022-26496 is a critical stack-based buffer overflow vulnerability in nbd-server (Network Block Device server) that allows remote attackers to execute arbitrary code or cause denial of service. Attackers can exploit this by sending specially crafted NBD_OPT_INFO or NBD_OPT_GO messages with oversized name fields. This affects all systems running vulnerable versions of nbd-server with network exposure.

💻 Affected Systems

Products:
  • nbd
  • nbd-server
Versions: All versions before 3.24
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where nbd-server is running and accessible via network. Local-only configurations are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Network Block Device by Network Block Device Project

View all CVEs affecting Network Block Device →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote denial of service causing nbd-server crashes and disruption of network block device services.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized access to nbd-server ports.

🌐 Internet-Facing: HIGH - nbd-server typically listens on network ports (default 10809/tcp) and can be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems on the same network could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit with publicly available technical details. No authentication is required to trigger the buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.24 and later

Vendor Advisory: https://lists.debian.org/nbd/2022/01/msg00036.html

Restart Required: Yes

Instructions:

1. Update nbd package to version 3.24 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install nbd. 3. For RHEL/CentOS/Fedora: Use dnf or yum to update nbd package. 4. Restart nbd-server service: sudo systemctl restart nbd-server

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to nbd-server port (default 10809/tcp) using firewall rules to only allow trusted hosts.

sudo iptables -A INPUT -p tcp --dport 10809 -s trusted_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10809 -j DROP

Disable Network Exposure

linux

Configure nbd-server to only listen on localhost if remote access is not required.

Edit nbd-server configuration to set bind address to 127.0.0.1

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to isolate nbd-server from untrusted networks.
  • Monitor nbd-server logs for unusual connection attempts and implement rate limiting on the service.

🔍 How to Verify

Check if Vulnerable:

Check nbd-server version: nbd-server --version | grep -i version. If version is below 3.24, system is vulnerable.

Check Version:

nbd-server --version

Verify Fix Applied:

After update, verify version is 3.24 or higher: nbd-server --version. Test service functionality with legitimate NBD clients.

📡 Detection & Monitoring

Log Indicators:

  • Multiple connection attempts to port 10809 with large payloads
  • nbd-server crash logs or core dumps
  • Unusual NBD_OPT_INFO or NBD_OPT_GO requests in application logs

Network Indicators:

  • Unusual traffic to port 10809/tcp with large packet sizes
  • Multiple connection attempts from single source to nbd-server port

SIEM Query:

source="nbd-server.log" AND ("segmentation fault" OR "buffer overflow" OR "crash") OR destination_port=10809 AND packet_size>threshold

📊 Metadata

CVE ID: CVE-2022-26496
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26496, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)