CVE-2019-12106

Vulnerability

The updateDevice function in minissdpd.c of MiniUPnP MiniSSDPd versions 1.4 and 1.5 contains a use-after-free vulnerability. When a memory reallocation fails, the function frees the old pointer but does not remove the corresponding element from the linked list, leaving a dangling pointer that can be accessed later [1].

Exploitation

An attacker can trigger the vulnerability by sending a specially crafted SSDP request that causes a memory allocation failure in updateDevice. The attacker requires network access to the SSDP service (typically UDP port 1900) and no authentication is needed. The crash occurs when the freed memory is subsequently dereferenced [1].

Impact

Successful exploitation results in a denial of service (DoS) by crashing the MiniSSDPd process. No code execution or privilege escalation is described in the available references [1].

Mitigation

The vulnerability is fixed in commit cd506a6 which removes the element from the list before freeing it when realloc fails [1]. Users should update to a patched version of MiniUPnP MiniSSDPd. No workaround is documented.