OpenBSD up to 7.3 Errata 019/7.4 Errata 005 fastcgi Request null pointer dereference
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.3 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as problematic has been found in OpenBSD up to 7.3 Errata 019/7.4 Errata 005. The impacted element is an unknown function of the component fastcgi Request Handler. The manipulation results in null pointer dereference. This vulnerability is reported as CVE-2024-11148. The attack can be launched remotely. No exploit exists. It is advisable to implement a patch to correct this issue.
Details
A vulnerability was found in OpenBSD up to 7.3 Errata 019/7.4 Errata 005. It has been classified as critical. Affected is an unknown part of the component fastcgi Request Handler. The manipulation with an unknown input leads to a null pointer dereference vulnerability. CWE is classifying the issue as CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. This is going to have an impact on availability. CVE summarizes:
In OpenBSD 7.4 before errata 006 and OpenBSD 7.3 before errata 020, httpd(8) is vulnerable to a NULL dereference when handling a malformed fastcgi request.
The advisory is shared for download at ftp.openbsd.org. This vulnerability is traded as CVE-2024-11148 since 11/12/2024. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.
Applying the patch 7.3 Errata 020/7.4 Errata 006 is able to eliminate this problem.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CNA CVSS-B Score: 🔍
CNA CVSS-BT Score: 🔍
CNA Vector: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.3
VulDB Base Score: 7.5
VulDB Temp Score: 7.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 7.5
CNA Vector (cisa-cg): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Null pointer dereferenceCWE: CWE-476 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 7.3 Errata 020/7.4 Errata 006
Timeline
11/12/2024 🔍12/05/2024 🔍
12/05/2024 🔍
09/23/2025 🔍
Sources
Advisory: ftp.openbsd.orgStatus: Confirmed
CVE: CVE-2024-11148 (🔍)
GCVE (CVE): GCVE-0-2024-11148
GCVE (VulDB): GCVE-100-287052
Entry
Created: 12/05/2024 21:55Updated: 09/23/2025 15:09
Changes: 12/05/2024 21:55 (77), 09/23/2025 15:09 (1)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.