Arbitrary Code Injection Affecting kfreebsd-10 package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN10-KFREEBSD10-1244035
- published8 Apr 2021
- disclosed26 Mar 2021
Introduced: 26 Mar 2021
CVE-2020-7464 (opens in a new tab)How to fix?
There is no fixed version for Debian:10 kfreebsd-10.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kfreebsd-10 package and not the kfreebsd-10 package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
In FreeBSD 12.2-STABLE before r365730, 11.4-STABLE before r365738, 12.1-RELEASE before p10, 11.4-RELEASE before p4, and 11.3-RELEASE before p14, a programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes. An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs.