High severity7.5NVD Advisory· Published May 4, 2017· Updated May 13, 2026

CVE-2017-8779

Description

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Affected products

Libtirpc Project/Libtirpc
cpe:2.3:a:libtirpc_project:libtirpc:*:*:*:*:*:*:*:*
Range: <=1.0.1
Ntirpc Project/Ntirpc
cpe:2.3:a:ntirpc_project:ntirpc:*:*:*:*:*:*:*:*
Range: <=1.4.3
Rpcbind Project/Rpcbind
cpe:2.3:a:rpcbind_project:rpcbind:*:*:*:*:*:*:*:*
Range: <=0.2.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

openwall.com/lists/oss-security/2017/05/03/12nvdMailing ListPatchThird Party Advisory
openwall.com/lists/oss-security/2017/05/04/1nvdMailing ListPatchThird Party Advisory
www.securityfocus.com/bid/98325nvdThird Party AdvisoryVDB Entry
guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/nvdThird Party Advisory
www.debian.org/security/2017/dsa-3845nvd
www.securitytracker.com/id/1038532nvd
access.redhat.com/errata/RHBA-2017:1497nvd
access.redhat.com/errata/RHSA-2017:1262nvd
access.redhat.com/errata/RHSA-2017:1263nvd
access.redhat.com/errata/RHSA-2017:1267nvd
access.redhat.com/errata/RHSA-2017:1268nvd
access.redhat.com/errata/RHSA-2017:1395nvd
security.gentoo.org/glsa/201706-07nvd
security.netapp.com/advisory/ntap-20180109-0001/nvd
usn.ubuntu.com/3759-1/nvd
usn.ubuntu.com/3759-2/nvd
www.exploit-db.com/exploits/41974/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.065
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000