Primary

Context

nbdkit Blocksize Filter Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in the nbdkit blocksize filter. When a client requests block status for a very large data range, exceeding a specific limit, it causes an internal error in nbdkit. This issue arises because the blocksize filter uses a 32-bit variable, which can lead to an integer overflow. Requests larger than approximately 4 gigabytes wrap around to zero, triggering an assertion failure and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to an assertion failure in nbdkit, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a block status request through the nbdkit blocksize filter that exceeds the limit of (2**32 - the minimum blocksize). The request will be rounded up to 4 gigabytes, causing an integer overflow that wraps around to zero and triggers an assertion failure.

Added: Jun 9, 2025, 6:19 AM

Updated: Jun 9, 2025, 6:19 AM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

nbdkit Blocksize Filter Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

nbdkit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating