CVE-2020-7464 in FreeBSD
Summary
by MITRE • 03/27/2021
In FreeBSD 12.2-STABLE before r365730, 11.4-STABLE before r365738, 12.1-RELEASE before p10, 11.4-RELEASE before p4, and 11.3-RELEASE before p14, a programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes. An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/24/2026
This vulnerability exists within the ure device driver of FreeBSD operating systems across multiple stable and release versions prior to specific patch releases. The programming error manifests in how the driver handles USB transfer packets exceeding 2048 bytes in size, creating a fundamental misinterpretation of packet boundaries that fundamentally compromises network security. The flaw specifically affects Realtek USB Ethernet interfaces, which are commonly used in various networking equipment and consumer devices, making this vulnerability potentially widespread across deployed systems.
The technical implementation error occurs at the USB transfer processing level where the driver incorrectly truncates packet lengths to 2048 bytes regardless of actual packet size. This misconfiguration creates a condition where larger packets are artificially limited in their reported length, causing downstream network processing to treat portions of these oversized packets as independent entities. The vulnerability stems from inadequate boundary checking and length validation within the USB Ethernet driver's packet handling routines, representing a classic case of improper input validation that allows for data corruption and misinterpretation.
The operational impact of this vulnerability extends beyond simple packet loss or corruption, creating a serious security boundary violation that enables cross-vlan packet injection attacks. An attacker exploiting this flaw can manipulate network traffic by causing the driver to interpret parts of legitimate large packets as separate network frames, effectively allowing unauthorized packet injection across virtual LAN segments. This capability directly violates fundamental network segmentation principles and could enable attackers to bypass VLAN-based access controls, potentially gaining access to restricted network segments or conducting man-in-the-middle attacks between otherwise isolated network zones.
This vulnerability aligns with CWE-129 Input Validation and Output Processing, specifically addressing improper handling of oversized data structures within network drivers. The attack vector follows patterns consistent with ATT&CK technique T1046 Network Service Scanning, as exploitation enables adversaries to manipulate network traffic flow and potentially discover network topology elements through packet injection. The flaw represents a privilege escalation opportunity for network attackers who can leverage this misconfiguration to breach security perimeters that would normally protect against direct packet injection attacks.
Mitigation strategies should focus on immediate patch application to the affected FreeBSD versions, ensuring all systems are updated to releases containing the corrected ure driver implementation. Network administrators should also implement additional monitoring for anomalous packet behavior and consider deploying network segmentation controls that can detect and prevent unauthorized packet injection attempts. The solution requires careful attention to USB Ethernet driver updates and thorough testing of network configurations to ensure proper handling of large packets without compromising system performance or security posture.