CVE-2015-7236
Description
Use-after-free in rpcbind 0.2.1 and earlier allows remote attackers to cause denial of service via crafted PMAP_CALLIT packets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in rpcbind 0.2.1 and earlier allows remote attackers to cause denial of service via crafted PMAP_CALLIT packets.
Vulnerability
A use-after-free vulnerability exists in the xprt_set_caller function within rpcb_svc_com.c of rpcbind version 0.2.1 and earlier [1][2]. The bug occurs when a netbuf structure is shallow-copied, causing two netbuf structures to share a pointer to the same address buffer [1]. When one netbuf is freed, the other retains a dangling reference to the freed memory region [1][2]. The vulnerable code path is triggered by processing a PMAP_CALLIT RPC request [2].
Exploitation
An attacker can trigger the vulnerability by sending a crafted PMAP_CALLIT packet over UDP to an rpcbind service that is listening on the network [2][4]. No authentication is required, and no user interaction is needed [1][2]. The attack does not require any special network position beyond being able to send UDP packets to the target host [2]. The exploit sequence involves a PMAP_CALLIT call that causes rpcbind to duplicate the caller's address into a netbuf, then forward the call, and upon reply, free the netbuf without clearing the copy in the transport handle [2]. Subsequent incoming UDP packets reuse the freed buffer, leading to memory corruption and eventual crash [2].
Impact
Successful exploitation results in a use-after-free condition that causes rpcbind to crash (denial of service) [1][2][3][4]. The impact is limited to denial of service; available references do not indicate that the vulnerability can be leveraged for remote code execution or information disclosure [4]. The crash can be triggered repeatedly by an attacker, effectively disabling the RPC service on the affected host [1].
Mitigation
FreeBSD released patches as part of advisory FreeBSD-SA-15:24 [1]. Corrected versions are 10.2-RELEASE-p5, 10.1-RELEASE-p22, and 9.3-RELEASE-p28 [1]. Users should update their rpcbind installation to a fixed version. No workaround is mentioned in the available references. If no official patch is available for other platforms (e.g., some Linux distributions), the system should be protected by controlling network access to rpcbind (typically UDP port 111) via firewall rules [2][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- osv-coords11 versionspkg:rpm/opensuse/rpcbind&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP3pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/rpcbind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012
< 0.2.3-7.1+ 10 more
- (no CPE)range: < 0.2.3-7.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.2.1_rc4-13.3.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.2.1_rc4-13.3.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.1.6+git20080930-6.24.1
- (no CPE)range: < 0.2.1_rc4-13.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- lists.fedoraproject.org/pipermail/package-announce/2015-November/171030.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2015-November/172152.htmlnvd
- www.debian.org/security/2015/dsa-3366nvd
- www.openwall.com/lists/oss-security/2015/09/17/1nvd
- www.openwall.com/lists/oss-security/2015/09/17/6nvd
- www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlnvd
- www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlnvd
- www.securityfocus.com/bid/76771nvd
- www.securitytracker.com/id/1033673nvd
- www.spinics.net/lists/linux-nfs/msg53045.htmlnvd
- www.ubuntu.com/usn/USN-2756-1nvd
- security.freebsd.org/advisories/FreeBSD-SA-15:24.rpcbind.ascnvd
- security.gentoo.org/glsa/201611-17nvd
News mentions
0No linked articles in our index yet.