CVE-2023-2794 - Vulnerability Details - OpenCVE

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver().

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Ofono	Ofono
Ofono Project	Ofono

Configuration 1 [-]

cpe:2.3:a:ofono_project:ofono:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:39:::::::*
	cpe:2.3:o:fedoraproject:fedora:40:::::::*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2255387

History

Wed, 06 Aug 2025 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fedoraproject Fedoraproject fedora Ofono Project Ofono Project ofono
CPEs		cpe:2.3:a:ofono_project:ofono:::::::: cpe:2.3:o:fedoraproject:fedora:39:::::::* cpe:2.3:o:fedoraproject:fedora:40:::::::*
Vendors & Products		Fedoraproject Fedoraproject fedora Ofono Project Ofono Project ofono

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2024-04-10T10:15:43.908Z

Updated: 2024-08-02T06:33:05.603Z

Reserved: 2023-05-18T12:42:16.295Z

Link: CVE-2023-2794

Vulnrichment

Updated: 2024-08-02T06:33:05.603Z

NVD

Status : Analyzed

Published: 2024-04-10T11:15:48.280

Modified: 2025-08-06T18:25:49.440

Link: CVE-2023-2794

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2794", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2023-05-18T12:42:16.295Z", "datePublished": "2024-04-10T10:15:43.908Z", "dateUpdated": "2024-08-02T06:33:05.603Z"}, "containers": {"cna": {"title": "Ofono: sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver() function", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver()."}], "affected": [{"versions": [{"status": "unaffected", "version": "2.5", "lessThan": "*", "versionType": "custom"}], "packageName": "ofono", "collectionURL": "https://git.kernel.org/pub/scm/network/ofono/ofono.git"}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255387", "name": "RHBZ#2255387", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-12-20T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "timeline": [{"lang": "en", "time": "2023-12-20T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-12-20T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Mitch Zakocs (Trend Micro Zero Day Initiative) for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:37:57.665Z"}}, "adp": [{"affected": [{"vendor": "linux", "product": "ofono", "cpes": ["cpe:2.3:a:linux:ofono:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T15:40:32.798851Z", "id": "CVE-2023-2794", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:59:20.752Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:33:05.603Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255387", "name": "RHBZ#2255387", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255387", "name": "RHBZ#2255387", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:33:05.603Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2794", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-03T15:40:32.798851Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:linux:ofono:*:*:*:*:*:*:*:*"], "vendor": "linux", "product": "ofono", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:59:17.706Z"}}], "cna": {"title": "Ofono: sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver() function", "credits": [{"lang": "en", "value": "Red Hat would like to thank Mitch Zakocs (Trend Micro Zero Day Initiative) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "unaffected", "version": "2.5", "lessThan": "*", "versionType": "custom"}], "packageName": "ofono", "collectionURL": "https://git.kernel.org/pub/scm/network/ofono/ofono.git"}], "timeline": [{"lang": "en", "time": "2023-12-20T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-12-20T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-12-20T00:00:00+00:00", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255387", "name": "RHBZ#2255387", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver()."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:37:57.665Z"}, "x_redhatCweChain": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"}}, "cveMetadata": {"cveId": "CVE-2023-2794", "state": "PUBLISHED", "dateUpdated": "2024-08-02T06:33:05.603Z", "dateReserved": "2023-05-18T12:42:16.295Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2024-04-10T10:15:43.908Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ofono_project:ofono:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6411B8D-6CF2-4AB1-B3BB-A02BD2CD52C0", "versionEndExcluding": "2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver()."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en ofono, una telefon\u00eda de c\u00f3digo abierto en Linux. Se activa un error de desbordamiento de pila dentro de la funci\u00f3n decode_deliver() durante la decodificaci\u00f3n de SMS. Se supone que se puede acceder al escenario del ataque desde un m\u00f3dem comprometido, una estaci\u00f3n base maliciosa o simplemente un SMS. Hay una verificaci\u00f3n vinculada para esta longitud de memcpy en decode_submit(), pero se olvid\u00f3 en decode_deliver()."}], "id": "CVE-2023-2794", "lastModified": "2025-08-06T18:25:49.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "patrick@puiterwijk.org", "type": "Secondary"}]}, "published": "2024-04-10T11:15:48.280", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Third Party Advisory", "Exploit"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255387"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory", "Exploit"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255387"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}